Is Email Within the Scope of a Web Application Security Test?

Email is sometimes discounted or just excluded from the scope of web application code reviews and penetration testing. This isn't always the correct decision.

A web application's boundary can sometimes be difficult to define, and thus it's possible to set the wrong scope of a review, audit or security test. Web applications may be comprised of multiple independent separate systems across many organisations and geographic locations (e.g. a page containing a news feed from a third-party, someone else's widget and web analytics code).

But even the simplest web application usually have some sort of email functionality—this might be simply to raise alerts about unusual conditions such as errors, but often email is used in user authentication mechanisms such as registration forms and password change functions. But marketing emails may also be sent by third-parties and these might include web content drawn from the site or include URLs or redirects to particular resources on the web site.

I was reminded of this by an econsultancy.com blog posting this week UK retailers need to improve their email marketing efforts. Lots of good advice there. I have saved some recent poor quality marketing emails:

It just seems too easy to send these things off. Another one even had some FTP account details embedded in an image address! I spoke to the company's IT helpdesk on that one.

But yes, where the emails include links to the web site, describe functionality, submit data to the web site or include web content, they should normally be considered within scope of a security test. They may also contain useful details for the information gathering phase.