Content-Type: text/html; charset=us-ascii
> sendmail -t firstname.lastname@example.org < email.txt
The -t flag is where you want to send the email to and redirect in whatever you named your email text file to sendmail. That’s it! Happy XSS hunting!
Taking that a step further, we have used RSnake's XSS Cheat Sheet for payloads and perl for automation, and ended up with Excess2 - webmail XSS tester.
It can be also done using mitm proxy tools like burp and w3af. Simply intercept http request (sending mail) and add necessary payload.
oxdef: we definitely need a system which doesn't have any filtration in sending the messages. Therefore, we should not use Gmail to send an arbitrary text/html if we want to have an accurate test.
The method which has been said here doesn't need any programming skill. However, if you can write your application, you can write a OS independent special fuzzer.
Jeremiah: Although you are not talking about a complete test here, I think it would be useful to say it. For example: several years ago, YahooMail had a XSS vulnerability which was exploitable by sending an HTML file with Plain/Text encoding with another extension such as ASP. I think everything should be tested (all header variables, attachments, encoding, non-header variables! And so on).
We recommend that you create email accounts on widely used email services such as AOL, Gmail, Hotmail, and Yahoo and send a test copy of your HTML email to yourself.
HTML email software
The next thing a subscriber will see is the body content of the email itself. This is of course the most complex part of the email and can include all manner of factors ranging from the text copy, to the layout and colours as well as the formatting and content. Once again it is wise to send out a split test campaign to test the waters. Many companies these days are doing split testing to see whether their rich media HTML mailers are faring better than plain text mailers. This is due to the increasing popularity of mobile email and the fact that HTML mailers often don't display well or even at all on some smart phones.
Sending an HTML email requires far more skill than a text email. You still must use all of the email marketing techniques required for getting the best results but you must also learn some new HTML skills as well. HTML emails can provide a far better response when done properly and can be a dismal failure when rushed through without testing for the best results.
html email template
Post a Comment