Security Research Of Web Mail System

Unlike the majority of cases that do theoretical research and analysis, this paper did a comprehensive analysis for the top four domestic Web Mail Systems from the point of the actual attack threat. According to the analysis results, we described the security status of current domestic Web Mail systems, and suggested a practicable defense strategy for Web Mail Server Providers. Meanwhile we designed an automated tool named MailFuzzer which used to detecting XSS vulnerabilities on rich text format messages. In this paper we focused on five mainly security vulnerabilities types:JSON Hijacking, URL Access Controls, Cross-Site Request Forgery, Injection vulnerability and Cross-Site Scripting.Firstly, on the basis of the author’s long-time research and understanding about Web vulnerabilities, this paper described the essence and the basic theory of the five vulnerabilities types, and then we abstracted the structure of Web Mail System from the perspect of security research, and described the security issues for Web Mail System that we should focus on. Also we summarized the trigger modes and occur circumstances for these five vulnerabilities types in Web Mail Systems, and analysis the exploit methods and damages those vulnerabilities can cause.Secondly, through the pragmatic project analysis, we found that the biggest security threat on Web Mail Systems is CSRF and XSS vulnerability which from the rich text format message. In order to achieve automated detection for the XSS vulnerability in rich text format message we designed and implemented the tool named MailFuzzer, an automatic testing tool with HACK element in it can detect XSS result simply, effectively and accurately. Finally, through manual analysis and MailFuzzer tools for automated detection of two kinds of methods used in combination, we checked those four Web Mail Systems thoroughly, from the analysis results it turns out:1. There were seriously security vulnerabilities in the mainly domestic top four Web Mail Systems; the attacker can easily compromise the all of those four Web Mail Systems.2. For those Web Mail Systems, the mainly security threats comes from Cross-site Request Forgery and Cross-site Scripting. Now the thing is:developers didn’t pay much attention on CSRF vulnerability and they were not doing well on XSS vulnerability.3. All of those four Web Mail Systems have a design flaw on handling CSS content in messages; it can amplify the damage of XSS vulnerability. The design flaw is reflected in all of those Web Mail Systems supports of inserting CSS content in rich text format message directly.In this paper we researched the security of Web Mail Systems, also we show how to analysis the security of Web Mail System. Finally we proposed practicable defense strategies aimed to the five vulnerabilities types.