TY - GEN
T1 - Measuring E-mail header injections on the world wide web
AU - Chandramouli, Sai Prashanth
AU - Bajan, Pierre Marie
AU - Kruegel, Christopher
AU - Vigna, Giovanni
AU - Zhao, Ziming
AU - Doupe, Adam
AU - Ahn, Gail-Joon
N1 - Funding Information:
This material is based upon work supported by the National Science Foundation under Grant 1623246, 1623269, and 1651661. This work was also partially supported by a grant from the Center for Cybersecurity and Digital Forensics at Arizona State University.
Publisher Copyright:
© 2018 ACM.
PY - 2018/4/9
Y1 - 2018/4/9
N2 - E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail. While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.
AB - E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail. While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.
KW - E-mail header injection
KW - Software security
UR - http://www.scopus.com/inward/record.url?scp=85050528797&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85050528797&partnerID=8YFLogxK
U2 - 10.1145/3167132.3167308
DO - 10.1145/3167132.3167308
M3 - Conference contribution
AN - SCOPUS:85050528797
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 1647
EP - 1656
BT - Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018
PB - Association for Computing Machinery
T2 - 33rd Annual ACM Symposium on Applied Computing, SAC 2018
Y2 - 9 April 2018 through 13 April 2018
ER -