Lesson Plan Title: How to Exploit Unchecked Email
Concept / Topic To Teach:
It is always a good practice to validate all inputs. Most sites allow non-authenticated users to send e-mail to a 'friend'. This is a great mechanism for spammers to send out email using your corporate mail server.
The user should be able to send an obnoxious email message.
Type a malicious script like <script>alert("XSS")</script> and click Send!
Figure 1 Lesson 5
Figure 2 Part 1 completed
The second part of this lesson is to send a mail to a friend from OWASP. This can be accomplished by intercepting the request with WebScarab and changing the hidden field "to" from firstname.lastname@example.org to email@example.com
Figure 3 Change the variable to another e-mail address
Figure 4 Lesson 5 Completed
|Solution by Erwin Geirnaert|