mistake fixed 4-Web_Application_Security_Testing/07-Input_Validation_…

…Testing/08-Testing_for_IMAP_SMTP_Injection (OWASP#591)

document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_IMAP_SMTP_Injection.md

@@ -8,14 +8,14 @@
 
 This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications. The aim of this test is to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
 
-The IMAP/SMTP Injection technique is more effective if the mail server is not directly accessible from Internet. Where full communication with the backend mail server is possible, it is recommended to conduct direct testing.
+The IMAP/SMTP Injection technique is more effective if the mail server is not directly accessible from internet. Where full communication with the backend mail server is possible, it is recommended to conduct direct testing.
 
-An IMAP/SMTP Injection makes it possible to access a mail server which otherwise would not be directly accessible from the Internet. In some cases, these internal systems do not have the same level of infrastructure security and hardening that is applied to the front-end web servers. Therefore, mail server results may be more vulnerable to attacks by end users (see the scheme presented in Figure 1).
+An IMAP/SMTP Injection makes it possible to access a mail server which otherwise would not be directly accessible from the internet. In some cases, these internal systems do not have the same level of infrastructure security and hardening that is applied to the frontend web servers. Therefore, mail server results may be more vulnerable to attacks by end users (see the scheme presented in Figure 1).
 
 ![IMAP SMTP Injection](images/Imap-smtp-injection.png)\
 *Figure 4.7.10-1: Communication with the mail servers using the IMAP/SMTP Injection technique*
 
-Figure 1 depicts the flow of traffic generally seen when using webmail technologies. Step 1 and 2 is the user interacting with the webmail client, whereas step 2 is the tester bypassing the webmail client and interacting with the back-end mail servers directly.
+Figure 1 depicts the flow of traffic generally seen when using webmail technologies. Step 1 and 2 is the user interacting with the webmail client, whereas step 2 is the tester bypassing the webmail client and interacting with the backend mail servers directly.
 
 This technique allows a wide variety of actions and attacks. The possibilities depend on the type and scope of injection and the mail server technology being tested.
 
@@ -37,7 +37,7 @@ Some examples of attacks using the IMAP/SMTP Injection technique are:
 
 ### Identifying Vulnerable Parameters
 
-In order to detect vulnerable parameters, the tester has to analyze the application's ability in handling input. Input validation testing requires the tester to send bogus, or malicious, requests to the server and analyse the response. In a secure application, the response should be an error with some corresponding action telling the client that something has gone wrong. In a vulnerable application, the malicious request may be processed by the back-end application that will answer with a `HTTP 200 OK` response message.
+In order to detect vulnerable parameters, the tester has to analyze the application's ability in handling input. Input validation testing requires the tester to send bogus, or malicious, requests to the server and analyse the response. In a secure application, the response should be an error with some corresponding action telling the client that something has gone wrong. In a vulnerable application, the malicious request may be processed by the backend application that will answer with a `HTTP 200 OK` response message.
 
 It is important to note that the requests being sent should match the technology being tested. Sending SQL injection strings for Microsoft SQL server when a MySQL server is being used will result in false positive responses. In this case, sending malicious IMAP commands is modus operandi since IMAP is the underlying protocol being tested.