The MX Injection Attack
Widgets & RSS FeedsIn MX Injection: Capturing and Exploiting Hidden Mail Servers, Vicente Aguilera Diaz of the Web Application Security Consortium describes MX Injection which is similar to SQL and XPath attacks.
This document presents a new attack technique against web applications that communicate with mail servers, generally webmail applications. Some of these applications are vulnerable to this new threat, which I called MX Injection due to the possibility of injecting commands from mail protocols (IMAP, SMTP). This document details the techniques and possibilities of MX Injection, as well as some counter measures to protect against this new attack type. This document is oriented toward web developers building applications that communicate with mail servers, as well as to security professionals who audit these kinds of applications.
