Monday, March 26, 2012

E-mail Forms - Attacker's View

E-mail forms on a web page can be really tricky.  Most sites use them as a "Contact Us" page where a user can submit feedback to the company.  In some cases, sites go one step further and allow you to send a message to another person.  An example of this would be a site that allows you to send a gift(card) where the sender can include a message to the recipient.  If not secured properly though, these forms can be abused.

Think about the following scenarios:

1) Let's say you aren't encoding the text sent from your "Contact Us" page.  An attacker could put in attack code (like javascript or a hidden iframe) and an unsuspecting employee could view that message and have that code run.  Now you have a compromised user/machine inside your organization, and the attacker can now move further into your company

2)  In a form where the user can specify the recipient and message, an attacker could use your form to send their own content.  This attack vector is even better!  Now an attacker can use you to send out their spam.  They can specify the addressee, the content, and maybe even specify the "from" address.  Now they can use you to send out their spam for them, and you take the fall.

Both of these scenarios can be mitigated by:

  • Employees should be educated in being suspicious of content and validating it before viewing or opening.
  • Encoding text in comment boxes to ensure a mail client doesn't try to interpret it as code
  • Require visitors to your site to make a purchase of an item before allowing them to send a message to another user for a gift purchase.  They may still try to send a malicious message, but you are now able to track who the user is including their payment information.
  • If you still want to allow users to send messages from your site, at the very least require some type of valid login.  Don't make this publicly accessible.  People will abuse it!

No comments:

Post a Comment