Lesson Plan Title: How to Exploit Unchecked Email

 

Concept / Topic To Teach:

It is always a good practice to validate all inputs. Most sites allow non-authenticated users to send e-mail to a 'friend'. This is a great mechanism for spammers to send out email using your corporate mail server.

 

General Goal(s):

The user should be able to send an obnoxious email message.

 

Solution:

Type a malicious script like <script>alert("XSS")</script> and click Send!

 

Figure 1 Lesson 5

 

 

 

Figure 2 Part 1 completed

 

The second part of this lesson is to send a mail to a friend from OWASP. This can be accomplished by intercepting the request with WebScarab and changing the hidden field "to" from webgoat.admin@owasp.org to bill.gates@microsoft.com

 

Figure 3 Change the variable to another e-mail address

 

Figure 4 Lesson 5 Completed

 

Solution by Erwin Geirnaert ZION SECURITY