Paper Info
Title
Measuring E-mail header injections on the world wide web.
Abstract
E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail. While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.
Year
DOI
Venue
2018
10.1145/3167132.3167308
SAC 2018: Symposium on Applied Computing Pau France April, 2018
Keywords
Field
DocType
E-mail header injection, Software Security
World Wide Web,DomainKeys Identified Mail,HTTP header injection,Computer science,Software security assurance,Web application,Header,Java,Python (programming language),Scalability
Conference
ISBN
Citations 
PageRank 
978-1-4503-5191-1
2
0.37
References 
Authors
11
7
Name
Order
Citations
PageRank
Sai Prashanth Chandramouli120.37
Pierre-Marie Bajan220.37
Christopher Kruegel38799516.05
Giovanni Vigna47121507.72
Ziming Zhao532230.52
Adam Doupé635733.14
Gail-Joon Ahn73012203.39