Secure your code, from the start.

Coders Conquer Security: Share & Learn Series – Email Header Injection

21st March 2019

It’s common these days for websites and applications to allow users to send feedback, appointment reminders and various other bits of information through an application using email. Normally this process is fairly benign, and most people don’t even think about it in terms of a potential security risk.

However, like any other design element that allows for user input, if not properly configured, these seemingly inconsequential features can be manipulated by malicious users for nefarious purposes. All it takes is giving the user the ability to enter code into the input field that is then mistakenly processed by the server. Suddenly, an email application can become weaponized.

In this episode we will learn:

  • How attackers can trigger an email header injection
  • Why email header injections are dangerous
  • Techniques that can fix this vulnerability.

How do Attackers Trigger an Email Header Injection?

Although it’s not often thought of as programmable, most email contact applications or features put into websites or applications can accept input that changes the nature of the query. It’s just normally done automatically by the server after a user has entered their information, such as their email address, into the contract field. The program then configures the message, adds the appropriate recipients, and sends the message out using its default email server.

A typical email POST request might look like this:

POST /contact.php HTTP/1.1
Host: www.example.com

And generate code that looks like this after a user has entered their information:

name=RealName&replyTo=RealName@ValidServer.com&message=YourAppointmentReminder

The trouble occurs when hackers begin to inject code into the process instead of just their contact information. This is not unlike a SQL injection-type attack, but made against the email application. An example of a manipulated query that would instead send spam from your application to a targeted user might look like this:

name=FakeName\nbcc: SpammedVictim@TargetAddress.com&replyTo= FakeName@ValidServer.com&message=Spammed message

Why is Email Header Injection Dangerous?

Depending on the skill of the malicious user and their intentions, email header injection attacks can range from simply annoying to highly dangerous in terms of severity. On the low end of the severity scale, they might be able to insert their contact information into the BCC field of an outgoing message sent to a secret or undisclosed mailbox within your company, thus revealing it to a hacker.

More concerning, it might allow them to completely control your email server to send spam, phishing or other attack emails from your organization. They would not need to try and fake the fact that the email is coming from your internal servers, because it actually would be originating there. And if you are not monitoring that activity, they can even automate the process, sending out hundreds or thousands of emails using your organization’s servers, and in such a way that it looks like you are actually instigating that activity.

Eliminating the Email Header Injection Problem

As with SQL injection and other attacks of this nature, the key to eliminating the possibility that a malicious user will exploit an email header vulnerability is never trusting user input. If a user is able to enter information, even if it seems like a trivial process such as entering their email address, you have to assume the worst. Or at least assume that the worst is possible.

Input validation should be performed for all parameters, and this includes when adding an email contact ability to an app or website. Whitelisting can be used to specifically enable processes and fields that you consider valid, while denying everything else. In fact, most frameworks have libraries available that can be used to help lock down functions to just those needed. Doing that will prevent any code or commands entered by malicious users from being recognized and processed by your servers.

More Information about Email Header Injections

For further reading, you can take a look at what OWASP says about email header injections. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues’ gallery of other threats, visit the Secure Code Warrior blog.

Think you're ready to find and fix an email injection right now? Head to the platform and test your skills:

"coder"​ && "hacker"​ && "product_designer"

View Comments