As a bug bounty hunter, one of the vulnerabilities that you should be aware of is email header injection. This vulnerability arises when user input is not properly validated before being sent to an email library, potentially leading to spam or phishing attacks. This blog will discuss how email header injection works, how to detect and mitigate it and provide examples of vulnerable code.

To comprehend email header injection, it is essential to understand how Simple Mail Transfer Protocol (SMTP) works. SMTP is an old internet protocol that initiates communication between the sender and recipient of an email. The protocol consists of three main envelope commands: MAIL FROM, RCPT TO, and DATA.

Email headers, on the other hand, are not part of the SMTP protocol but are used to display emails correctly in mail clients. Headers such as “From” and “To” can be added to emails, and many email libraries in programming languages convert these headers into equivalent SMTP commands. Attackers can exploit this by injecting additional headers into email messages.

Consider the following PHP code, which represents a typical contact form that is susceptible to email header injection. The code takes the name and email address from input fields and prepares a list of headers for the email.

<?php
if(isset($_POST['name'])) {
  $name = $_POST['name'];
  $replyto = $_POST['replyTo'];
  $message = $_POST['message'];
  $to = 'root@localhost';
  $subject = 'My Subject';
  // Set SMTP headers
  $headers = "From: $name \n" .
  "Reply-To: $replyto";
  mail($to, $subject, $message, $headers); 
}
?>

An attacker could exploit this vulnerability by inserting a newline and appending a BCC header containing additional email addresses. The email library would then convert these addresses into RCPT TO commands, allowing the attacker to send large numbers of messages anonymously or even conduct phishing attacks.

The detection of email header injection vulnerabilities can be done using various techniques. One of the most effective methods is to manually test the application for the vulnerability. This involves the following steps:

1. identify the contact form: Find the contact form or any other part of the application that accepts user input for email-related information, such as name, email address, and message.
2. Manipulate input data: Craft input data that includes newline characters followed by additional email headers, such as BCC, CC, or other custom headers. This will help you determine if the application is vulnerable to email header injection.
3. Monitor email activity: After submitting the manipulated data, closely monitor the email activity on the recipient side. Check if any additional recipients, as specified in the injected headers, have received the email.
4. Analyze the email: Inspect the received email for any unexpected headers or modifications. If the email contains the injected headers and has been delivered to the additional recipients, it confirms the presence of an email header injection vulnerability.

Consider a web application with a contact form that allows users to submit their name, email address, and message. The form is processed using the following PHP code:

<?php
if(isset($_POST['name'])) {
  $name = $_POST['name'];
  $replyto = $_POST['replyTo'];
  $message = $_POST['message'];
  $to = 'root@localhost';
  $subject = 'My Subject';
  // Set SMTP headers
  $headers = "From: $name \n" .
  "Reply-To: $replyto";
  mail($to, $subject, $message, $headers); 
}
?>

To test this contact form for email header injection vulnerabilities, you can perform the following steps:

Craft a POST request with manipulated input data:

POST /contact.php HTTP/1.1
Host: www.example2.com
name=John Doe\nBcc: [email protected],[email protected]&[email protected]&message=Hello

Here, a newline character is inserted after the name, followed by a BCC header containing additional email addresses.

Submit the crafted POST request to the server.

Monitor the email activity of [email protected] and [email protected].

If the email is received by both [email protected] and [email protected] with the injected BCC header, the contact form is vulnerable to email header injection.

To effectively mitigate email header injection, it is essential to validate user input thoroughly. Specifically, newline characters (“\n” or “\r\n”) must be disallowed, as they can be used by attackers to inject additional headers. Strong input validation can be achieved by employing a whitelist of allowed characters. This approach ensures that only valid and expected characters are processed by the application, reducing the risk of email header injection.

Consider the vulnerable PHP contact form code:

<?php
if(isset($_POST['name'])) {
  $name = $_POST['name'];
  $replyto = $_POST['replyTo'];
  $message = $_POST['message'];
  $to = 'root@localhost';
  $subject = 'My Subject';
  // Set SMTP headers
  $headers = "From: $name \n" .
  "Reply-To: $replyto";
  mail($to, $subject, $message, $headers); 
}
?>

To mitigate email header injection in this example, we will implement input validation using a whitelist of allowed characters for the ‘name’ and ‘replyTo’ fields.

<?php
if(isset($_POST['name'])) {
  $name = $_POST['name'];
  $replyto = $_POST['replyTo'];
  $message = $_POST['message'];
  $to = 'root@localhost';
  $subject = 'My Subject';
  // Input validation using a whitelist of allowed characters
  if (preg_match('/^[a-zA-Z0-9 .-_]+$/i', $name) && filter_var($replyto, FILTER_VALIDATE_EMAIL)) {
    // Set SMTP headers
    $headers = "From: $name \n" .
    "Reply-To: $replyto";
    mail($to, $subject, $message, $headers);
  } else {
    echo "Invalid input detected. Please ensure your input only contains allowed characters.";
  }
}
?>

In this modified code, we use the preg_match() function to check if the 'name' input only contains allowed characters (alphanumeric characters, spaces, periods, hyphens, and underscores). Additionally, we use the filter_var() function with the FILTER_VALIDATE_EMAIL filter to validate the 'replyTo' input as a valid email address. If the input passes these validation checks, the email is sent. Otherwise, an error message is displayed.

By implementing input validation using a whitelist of allowed characters, we can effectively mitigate the risk of email header injection in the contact form. This not only helps to secure the application but also protects its users and the server from potential spam or phishing attacks.

Email header injection is a significant application security vulnerability that bug bounty hunters must be familiar with. Understanding how SMTP works, recognizing vulnerable code, and employing the right detection and mitigation techniques will help you in your quest for securing web applications and earning bounties. Stay vigilant and keep hunting!

Ready to make a real impact on cybersecurity? Join us at Capture The Bug, a bug bounty platform connecting researchers with top companies. Earn rewards and be part of a supportive community working to make the internet a safer place.

follow us on Twitter: https://twitter.com/Capturethebugs

Linkedin: https://www.linkedin.com/company/capture-the-bug/