More Web Proxy on the site http://driver.im/

research-article

Measuring E-mail header injections on the world wide web

Authors:

Sai Prashanth Chandramouli,

Pierre-Marie Bajan,

Christopher Kruegel,

Giovanni Vigna,

Gail-Joon AhnAuthors Info & Claims

SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

Pages 1647 - 1656

https://doi.org/10.1145/3167132.3167308

Published: 09 April 2018 Publication History

Abstract

E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail.

While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.

References

[1]

Apache Nutch. http://nutch.apache.org/

[2]

ContactForm7. https://wordpress.org/plugins/contact-form-7

[3]

Vexatious Tendencies. https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/ (2014)

[4]

CVE - Common Vulnerabilities and Exposures (CVE) (2016), http://cve.mitre.org/

[5]

ICANN WHOIS Data. https://whois.icann.org/en (2016)

[6]

VirusTotal - Free Online Virus, Malware and URL Scanner (2016), https://www.virustotal.com/

[7]

Alexa Rankings. data.alexa.com/data?cli=10&url=%URL% (2017)

[8]

BuiltWith Website Data. https://builtwith.com (2017)

[9]

Wappalyzer. https://wappalyzer.com/ (2017)

[10]

Acunetix: AcuMonitor: For detecting Email Header Injection, Blind XSS and SSRF - Acunetix. http://www.acunetix.com/vulnerability-scanner/acumonitor-blind-xss-detection/

[11]

von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart automatically. Commun. ACM 47(2) (2004)

Digital Library

[12]

Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., Thomas, M.: Domainkeys identified mail (dkim) signatures. Tech. rep. (2007)

[13]

Apache Commons Email: (2016), https://commons.apache.org/proper/commons-email

[14]

Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: Automated black-box web application vulnerability testing. In: Security and Privacy (SP), 2010 IEEE Symposium on. pp. 332--345 (May 2010)

Digital Library

[15]

Beizer, B.: Black-box Testing: Techniques for Functional Testing of Software and Systems. John Wiley & Sons, Inc., New York, NY, USA (1995)

Digital Library

[16]

BestWebSoft: Contact Form by BestWebSoft WordPress Plugins. https://wordpress.org/plugins/contact-form-plugin/ (2016)

[17]

Bhide, C.W., Singh, J., Oestreicher, D.: Performance optimizations for computer networks utilizing http (Dec 22 1998), uS Patent 5,852,717

[18]

Boyd, S.W., Keromytis, A.D.: Sqlrand: Preventing sql injection attacks. In: Applied Cryptography and Network Security. pp. 292--302. Springer (2004)

[19]

Calin, B.: Email Header Injection Web Vulnerability - Acunetix. https://www.acunetix.com/blog/articles/email-header-injection-web-vulnerability-detection/ (2013)

[20]

Chandramouli, S.P., Zhao, Z., Doupé, A., Ahn, G.J.: E-mail Header Injection Vulnerabilities. it - Information Technology 59(2), 67--72 (2017)

[21]

Crocker, D.: Internet Message Format - RFC 2142 (1997), https://www.ietf.org/rfc/rfc2142

[22]

Doupé, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the state: A state-aware black-box web vulnerability scanner. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 12). pp. 523--538. USENIX, Bellevue, WA (2012), https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final225.pdf

Digital Library

[23]

Doupé, A., Cova, M., Vigna, G.: Why johnny can't pentest: An analysis of black-box web vulnerability scanners. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 111--131. Springer (2010)

Digital Library

[24]

Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Web spoofing: An internet con game. Software World 28(2) (1997)

[25]

Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Berners-Lee, T., Masinter, L., Leach, P.: RFC 2616 (1999), https://www.ietf.org/rfc/rfc2616.txt

[26]

Hagenbuch, C., Heyes, R., Machniak, A.: PEARMail (2016), https://pear.php.net/package/Mail

[27]

Halfond, W.G., Viegas, J., Orso, A.: A classification of sql-injection attacks and countermeasures. In: Proceedings of the IEEE Symposium on Secure Software Engineering (2006)

[28]

Herzog, A.: Full Disclosure: JavaMail SMTP Header Injection via method setSubject {CSNC-2014-001} (2014), http://seclists.org/fulldisclosure/2014/May/81

[29]

Huang, Y.W., Huang, S.K., Lin, T.P., Tsai, C.H.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wide Web. WWW '03, ACM (2003)

Digital Library

[30]

Internet Live Stats: www.internetlivestats.com (2016)

[31]

Jakobsson, M., Myers, S.: Phishing and countermeasures: understanding the increasing problem of electronic identity theft. John Wiley & Sons (2006)

Digital Library

[32]

Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web. pp. 601--610. WWW '07, ACM, New York, NY, USA (2007)

Digital Library

[33]

Johns, M., Winter, J.: Requestrodeo: Client side protection against session riding. In: Proceedings of the OWASP (2006)

[34]

Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: Secubat: a web vulnerability scanner. In: Proceedings of the 15th international conference on World Wide Web. pp. 247--256. ACM (2006)

Digital Library

[35]

Klein, A.: {DOM Based Cross Site Scripting or XSS of the Third Kind} Web Security Articles - WebApp Sec (2005), http://www.webappsec.org/projects/articles/071105.shtml

[36]

Kohler, D.: damonkohler: Email Injection. http://www.damonkohler.com/2008/12/email-injection.html (2008)

[37]

Kucherawy, M., Zwicky, E.: Domain-based message authentication, reporting, and conformance (dmarc) (2015)

[38]

Lin, X., Zavarsky, P., Ruhl, R., Lindskog, D.: Threat modeling for csrf attacks. In: CSE (3). pp. 486--491 (2009)

Digital Library

[39]

Mohamed, A.: PHP Email Injection Example - InfoSec Resources. http://resources.infosecinstitute.com/email-injection/ (2013)

[40]

Nicol, J.: Securing PHP Contact Forms. http://jonathannicol.com/blog/2006/12/09/securing-php-contact-forms/ (2006)

[41]

OWASP: https://www.owasp.org/index.php/OWASP_Top_10

[42]

Payet, P., Doupe, A., Kruegel, C., Vigna, G.: EARs in the Wild: Large-Scale Analysis of Execution After Redirect Vulnerabilities. In: Proceedings of the ACM Symposium on Applied Computing (SAC). Coimbra, Portugal (March 2013)

Digital Library

[43]

PHP-Manual: PHP mail - Send mail. http://php.net/manual/en/function.mail.php (2016)

[44]

PHPMailer: https://github.com/PHPMailer/PHPMailer

[45]

Pope, A.: Prevent Contact Form Spam Email Header Injection | Storm Consultancy Web Design Bath (2008), https://www.stormconsultancy.co.uk/blog/development/dev-tutorials/secure-your-contact-form-against-spam-email-header-injection/

[46]

Pope, C., Kaur, K.: Is it human or computer? defending e-commerce with captchas. IT Professional 7(2) (Mar 2005)

Digital Library

[47]

Raghavan, S., Garcia-Molina, H.: Crawling the hidden web. Technical Report 2000--36, Stanford InfoLab (2000), http://ilpubs.stanford.edu:8090/456/

[48]

Resnick, P.W.: Internet Message Format - RFC 5322 (2008), https://tools.ietf.org/html/rfc5322

[49]

Ruby Mail Gem: https://rubygems.org/gems/mail

[50]

Sadeghian, A., Zamani, M., Manaf, A.A.: A taxonomy of sql injection detection and prevention techniques. In: Informatics and Creative Multimedia (ICICM), 2013 International Conference on. pp. 53--56. IEEE (2013)

Digital Library

[51]

Schlitt, W., Wong, M.W.: Sender policy framework (spf) for authorizing use of domains in e-mail, version 1 (2006)

[52]

Email Injection - Secure PHP Wiki. http://securephpwiki.com/index.php/EmailInjection (2010)

[53]

Shkapenyuk, V., Suel, T.: Design and implementation of a high-performance distributed web crawler pp. 357--368 (2002)

Digital Library

[54]

Stuttard, D., Pinto, M.: The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. John Wiley & Sons (2011)

[55]

Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: ACM SIGPLAN Notices. vol. 41, pp. 372--382. ACM (2006)

Digital Library

[56]

SwiftMailer: http://swiftmailer.org/

[57]

Terada, T.: SMTP Injection via recipient email addresses. MBSD White Paper (December 2015)

[58]

Tobozo: Mail headers injections with PHP. http://www.phpsecure.info/v2/article/MailHeadersInject.en.php (2004)

[59]

W3techs: Usage Statistics and Market Share of PHP for Websites, February 2016. http://w3techs.com/technologies/details/pl-php/all/all (2016)

[60]

Yan, J., Ahmad, A.S.E.: Breaking visual captchas with naive pattern recognition algorithms. In: Computer Security Applications Conference, ACSAC 2007 (Dec 2007)

[61]

Zanero, S., Carettoni, L., Zanchetta, M.: Automatic detection of web application security flaws. Black Hat Briefings (2005)

Cited By

Román‐Gallego JPérez‐Delgado MViñuela MVega‐Hernández M(2023)Artificial Intelligence Web Application Firewall for advanced detection of web injection attacksExpert Systems10.1111/exsy.1350542:1Online publication date: 27-Nov-2023
https://doi.org/10.1111/exsy.13505
Faisal Fadlalla FElshoush H(2023)Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-ArtIEEE Access10.1109/ACCESS.2023.326638511(40128-40161)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3266385
Román-Gallego JPérez-Delgado MViñuela M(2023)Development of Web Application Firewall Based on Artificial IntelligenceNew Trends in Disruptive Technologies, Tech Ethics and Artificial Intelligence10.1007/978-3-031-38344-1_3(18-27)Online publication date: 22-Jul-2023
https://doi.org/10.1007/978-3-031-38344-1_3
Show More Cited By

Index Terms

Measuring E-mail header injections on the world wide web
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

A Survey on XSS Attack Detection and Prevention in Web Applications
ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and Computing

With the popularity of web technology, web applications become more increasingly vulnerable and are exposed to malicious attacks. Cross Site Scripting(XSS) is a typical attack in web applications. When a vulnerability is exploited, an attacker may ...
Delivery of video mail on the World Wide Web

This study was initiated to examine the feasibility of providing multimedia mail, in particular video mail, on the existing World Wide Web platform. In this instance, the Web browser will act as the user agent of the mailing system. With this, users ...
Research on Vulnerability Detection Technology for WEB Mail System

Recently, the Email system is seriously threatened by the vulnerability attack, and XSS vulnerability is one of the most serious vulnerability of WEB mail system. In this paper, we proposed a crossing site script injection vulnerability detection method ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

April 2018

2327 pages

ISBN:9781450351911

DOI:10.1145/3167132

Conference Chairs:
Hisham M. Haddad
Kennesaw State University
,
Roger L. Wainwright
University of Tulsa
,
Richard Chbeir
University of Pau & Pays Adour, France

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 April 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC 2018

Sponsor:

SIGAPP

SAC 2018: Symposium on Applied Computing

April 9 - 13, 2018

Pau, France

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
155
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)2

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Román‐Gallego JPérez‐Delgado MViñuela MVega‐Hernández M(2023)Artificial Intelligence Web Application Firewall for advanced detection of web injection attacksExpert Systems10.1111/exsy.1350542:1Online publication date: 27-Nov-2023
https://doi.org/10.1111/exsy.13505
Faisal Fadlalla FElshoush H(2023)Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-ArtIEEE Access10.1109/ACCESS.2023.326638511(40128-40161)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3266385
Román-Gallego JPérez-Delgado MViñuela M(2023)Development of Web Application Firewall Based on Artificial IntelligenceNew Trends in Disruptive Technologies, Tech Ethics and Artificial Intelligence10.1007/978-3-031-38344-1_3(18-27)Online publication date: 22-Jul-2023
https://doi.org/10.1007/978-3-031-38344-1_3
Yu BLi PLiu JZhou ZHan YLi Z(2022)Advanced Analysis of Email Sender Spoofing Attack and Related Security Problems2022 IEEE 9th International Conference on Cyber Security and Cloud Computing (CSCloud)/2022 IEEE 8th International Conference on Edge Computing and Scalable Cloud (EdgeCom)10.1109/CSCloud-EdgeCom54986.2022.00023(80-85)Online publication date: Jun-2022
https://doi.org/10.1109/CSCloud-EdgeCom54986.2022.00023
Jiang XWang YDing YLiang HWang HLi Z(2022)An Anti-forensic Method Based on RS Coding and Distributed StorageAlgorithms and Architectures for Parallel Processing10.1007/978-3-030-95388-1_16(240-254)Online publication date: 23-Feb-2022
https://doi.org/10.1007/978-3-030-95388-1_16
Peng PXu CQuinn LHu HViswanath BWang GGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)What Happens After You Leak Your PasswordProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329818(181-192)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329818
Tian KJan SHu HYao DWang G(2018)Needle in a HaystackProceedings of the Internet Measurement Conference 201810.1145/3278532.3278569(429-442)Online publication date: 31-Oct-2018
https://dl.acm.org/doi/10.1145/3278532.3278569

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents