The proliferation of Dynamic Websites has fueled a new era of Web Growth. Gone are the days, when Web used to serve static pages, cluttered with bright colors and flashy animated images. Today’s database driven Websites, often thriving on user generated content, offer an entire gamut of features.
Security Issues have taken a backseat in this new era of Web Growth as well. Flaws in the Web application don’t necessarily have to be in the Code itself; the logic behind an application also goes awry at times.
While scavenging the Web, I came across a Contact Form page served by University College London, designed to reach out to prospective Information Security students.
The Web Page seems perfectly innocuous in the first look. But, the Contact form also allows you to E-mail a copy of the message to your own address. Now, this is what I call a Web 2.0 Spam Sending Machine 🙂 !
In effect, a spammer can write messages promoting products & send them to arbitrary email address of their choice. E-mail Infrastructure of the Organization that runs the Website bears the brunt. The form could also be used as a relay agent to send threat mails, while concealing one’s own identity……
[Sample E-mail sent via Contact Form as a Proof-of-Concept]
Security landscape is already cluttered with numerous issues. One more issue coming into party won’t hurt much……I guess 😉