Web Mail Server security tests
Does anyone have an experience or familiar with Web Mail Server security/hacking tests (server like Hotmail.com)? Could you give me some tips for what security tests should be covered, list of tools, methodology and ect.?
Thanks in advance,
[This message has been edited by Koren (edited 04-02-2002).]
Re: Web Mail Server security tests
In general, when testing the security of an application:
- ensure that the system authenticates users
- ensure that the system allows users to only perform authorized functions
- ensure that the user cannot circumvent security in the system (altering client code, alter their own security settings)
- ensure that there is a useful audit trail of system usage (invalid logins, valid logins, user action)
Also, "Quality Web Systems: Performance, Security, and Usability" has an entire chapter dedicated to security testing. To read part of the Security chapter from the book, go to this website and click on "Sample Chapter": http://www.awl.com/cseng/titles/0-201-71936-3
Specifically for a web-based email system, you might consider validating session timeouts, cookie management, and scripting vulnerabilities, depending on the requirements for the application. If this is a 3rd party application, you might consider reading up on the known vulnerabilities, and installing the appropriate patches.
Tim Van Tongeren