Skip to content

Attacks via e-mail feature

I often see that; the websites with features which include e-mail service open to security vulnerabilities. These vulnerabilities would be exploited any time. Now, I am going to list some of the features that will use e-mail service (SMTP server).

  1. Forgot Username / Password
  2. Registration – confirmation e-mail
  3. Subscription / receive updates

 

There could be many other features which depend on the product that is developed or being developed. Above mentioned are the ones that you are familiar with.

 

How can I use the above features to attack e-mail service or SMTP server?

Spamming and more bandwidth usage – I could get the victims username or e-mail address and use it in Forgot Password text field and keep sending e-mails to the target e-mail address thereby; spamming. I am not only spamming here but, also I am consuming the bandwidth of the e-mail server. I could easily automate this; so let us talk about numbers now. In 5 seconds I will send one e-mail.

5 seconds = 1 e-mail

1 minute = 12 e-mails

1 hour = 720 e-mails

It goes on.

 

dDoS attack if you are doing it at the same time from different computers. 100 bad guys connected on IRC say “Boom” and everyone invokes it. The number 100 is just for example purpose; there are guys who are connected on IRC as a team more than 1000+.

 

Countermeasures

There should be a restriction on sending of e-mails in a day or per hour or anything that would not harm the e-mail service and even the end-user.

 

A captcha should be shown if repeated usage of form is being detected. Example: Gmail displays captcha in login form if wrong attempts are made. This could help in stopping the attack which is done by automating the process.

 

Blacklisting IP address if the attack is continued; recording server logs.

 

I wrote this blog post quickly and published it. I would write in deeper way sometime later.

SanthoshTuppad

I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)

Share/Bookmark

5 Comments

  1. Ravisuriya wrote:

    Was testing an application that came to test for 1 day. Similar kind of scenario was out there.

    Tried to find is there any email-id’s of employees or clients available hidden for normal eyes but it is available. On searching found the legitimate email-id’s.

    Wrote a small script to read from a file and requests for password via forgot password from two machines. Later the 3rd party API’s got slowing down gradually and looked application was not usable. I wanted to see the impact if it happens to legitimate user accounts and it was evident. Actual users are not able to sign in.

    Useful post.

    Monday, September 5, 2011 at 1:22 am | Permalink
  2. Nice to read it. Let’s share few more ideas.

    Using ‘Tell Your Friends’ feature. The name of this feature has some variations like Send this page to your friends, Tell a friend, Email this page etc. The beauty of this feature is, it allows you to provide multiple recipients email addresses and your email address.

    Using ‘Contact Us’ page. It often sends email to the correspondent person with your queries.

    Using ‘Error’ page. We often see for an illegal/unhandled operation/exception, system throws error and shows message like ‘Oops! System error occurs, administrator is notified. Please try again.’ In this circumstances, developers usually prefer to send email with error details to some specific persons. You can easily flood it by requesting the same error page again and again.

    Monday, September 5, 2011 at 11:22 pm | Permalink
  3. Monirul, Exactly! And talking about “Tell your friends” feature sometimes I have seen that there is no validation if same e-mail addresses are being used with comma separated. I remember that I flooded my inbox by adding multiple same e-mail addresses.

    Thanks for your contribution.

    Monday, September 5, 2011 at 11:39 pm | Permalink
  4. Saurabh Sinha wrote:

    Such was a nice post! this is somewhat make me alert and practicing the same on my new project which became to Live very soon and sensational and adventurous for the cricket fans..keep posting santhosh…This is really awesome..

    Tuesday, September 6, 2011 at 4:41 am | Permalink
  5. @Saurabh, Good to hear that this will be of help to your new project.

    Tuesday, September 6, 2011 at 4:45 am | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*