The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

regarded as peripheral and may not be subject to the same security standards

Download 5,76 Mb.

Pdf ko'rish

bet	570/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 566 567 568 569 570 571 572 573 ... 875

Bog'liq
3794 1008 4334

Preventing SMTP Injection

regarded as peripheral and may not be subject to the same security standards

or testing as the main application functionality. Also, because they involve

interfacing to an unusual back-end component, they are often implemented via

a direct call to the relevant operating system command. Hence, in addition to

probing for SMTP injection, you should also review all email-related

functionality very closely for OS command injection flaws.

70779c09.qxd:WileyRed 9/14/07 3:13 PM Page 325

Preventing SMTP Injection

SMTP injection vulnerabilities can usually be prevented by implementing rig-

orous validation of any user-supplied data that is passed to an email function

or used in an SMTP conversation. Each item should be validated as strictly as

possible given the purpose for which it is being used:

■■

Email addresses should be checked against a suitable regular expres-

sion (which should of course reject any newline characters).

■■

The message subject should not contain any newline characters, and

may be subjected to a suitable length limit.

■■

If the contents of a message are being used directly in an SMTP conver-

sation, then lines containing just a single dot should be disallowed.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 566 567 568 569 570 571 572 573 ... 875