Email injection attack: Impact, example & prevention

By
Nash N Sulthan
Reviewed by
Jijith Rajan
Published on
24 Mar 2023
5 min read

Email injection is a security vulnerability that can occur when a contact form on a website doesn’t validate the user’s input before inserting it into SMTP headers.

This vulnerability can be exploited by an attacker to inject additional headers into the message, allowing them to carry out malicious actions via the SMTP server.

It is standard procedure for websites to include contact forms that allow visitors to legitimately send emails to the intended recipient. To make it simpler for the recipient to treat communication from the contact form like any other email, such a contact form would typically set SMTP headers like From and Reply-to.

The From header is a crucial component of an email (‘root@localhost’ in the below code-block), as it informs the recipient of the sender’s identity. The Reply-To header allows the recipient to easily respond to the sender through their email client. It’s essential to ensure the security of both headers to protect against email header injection.

Example of email injection

The PHP code below is an example of a common contact form that is vulnerable to email injection attack. The code below takes a website visitor’s name and email address and generates a list of email headers.

        <?php 

            if (isset($_POST['name'])) { 

            $name = $_POST['name']; 

            $replyto = $_POST['replyTo']; 

            $message = $_POST['message']; 

            $recipient = 'root@localhost'; 

            $subject = 'My Subject'; 

            //SMTP header   

            $headers = "From: $name \n" . "Reply-To: $replyto"; 

            mail($recipient, $subject, $message, $headers); 

            } 

        ?>
    

A typical authentic POST request would appear as follows:

        POST /contact.php HTTP/1.1   

        Host: www.example.com 

        name=Jane Doe&replyTo=janedoe@example.com&message=Custom message 
    

A malicious actor could exploit this contact form by submitting the POST request as indicated below:

        POST /contact.php HTTP/1.1   

        Host: www.example.com 

        name=Hacker\nbcc: mail@recepient.com&replyTo=mail@hacker.com&message=Hacker message
    

In the scenario presented, the attacker adds a line break (represented as \n on most UNIX/Linux systems and \r\n on Windows systems) and includes a BCC SMTP header with additional email addresses that the SMTP server will send the email to.

Impact of email injection attacks

Email injection attacks can have serious consequences for both the affected organization and its users. Some of the key impacts of this attack include:

  • Spoofing of sender’s identity: Attackers can inject malicious headers into emails and manipulate the From, Reply-To, or BCC fields to make the emails appear to come from a trusted source. This can be used for phishing attacks or to spread malware.

  • Unauthorized email sending: Attackers can use the email injection attack to send large amounts of spam or phishing emails from the affected organization’s email server, potentially tarnishing the organization’s reputation and causing its email server to be blacklisted.

  • Confidential information exposure: Attackers can inject headers that contain sensitive information, such as passwords or login credentials, into emails, leading to a breach of confidentiality.

  • Loss of control over email communication: Attackers can manipulate headers to redirect replies to emails, leading to a loss of control over the organization’s email communication.

It’s important to keep in mind that this vulnerability isn’t exclusive to PHP, as any application that creates email messages based on arbitrary user input is at risk.

How to prevent email header injection attack

In conclusion, email header injection attacks are a serious security threat that can be used to carry out malicious activities like spamming, phishing, or even identity theft.

It’s imperative for developers to be aware of this issue and to take the necessary steps to prevent it from happening. Some of the actionable items that developers can take include:

  • Validating user input: Ensure that the data entered by users is validated and sanitized before being used in emails. This will prevent attackers from injecting malicious headers into emails.

  • Encoding special characters: Make sure to encode special characters in user input, such as \n and \r, as these characters can be used to add new lines and line breaks in headers.

  • Avoid having user input directly in headers: Instead of having user input directly in headers, use a variable or a constant. This way, even if an attacker injects malicious data, it won’t affect the headers.

  • Testing for email header injection vulnerabilities: Regularly test applications for email header injection vulnerabilities to catch any issues before they are exploited by attackers.

By implementing these measures, developers can significantly reduce the risk of email header injection attacks and keep their applications secure. It’s important to stay vigilant and to regularly assess applications for vulnerabilities, as new attack methods and techniques are continually emerging.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Contributor
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.