1 Citation (Scopus)

Abstract

E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail. While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.

Original languageEnglish (US)
Title of host publicationProceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018
PublisherAssociation for Computing Machinery
Pages1647-1656
Number of pages10
VolumePart F137816
ISBN (Electronic)9781450351911
DOIs
StatePublished - Apr 9 2018
Event33rd Annual ACM Symposium on Applied Computing, SAC 2018 - Pau, France
Duration: Apr 9 2018Apr 13 2018

Other

Other33rd Annual ACM Symposium on Applied Computing, SAC 2018
CountryFrance
CityPau
Period4/9/184/13/18

Fingerprint

Electronic mail
World Wide Web
Websites
Ruby

Keywords

  • E-mail header injection
  • Software security

ASJC Scopus subject areas

  • Software

Cite this

Chandramouli, S. P., Bajan, P. M., Kruegel, C., Vigna, G., Zhao, Z., Doupe, A., & Ahn, G-J. (2018). Measuring E-mail header injections on the world wide web. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018 (Vol. Part F137816, pp. 1647-1656). Association for Computing Machinery. https://doi.org/10.1145/3167132.3167308

Measuring E-mail header injections on the world wide web. / Chandramouli, Sai Prashanth; Bajan, Pierre Marie; Kruegel, Christopher; Vigna, Giovanni; Zhao, Ziming; Doupe, Adam; Ahn, Gail-Joon.

Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018. Vol. Part F137816 Association for Computing Machinery, 2018. p. 1647-1656.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Chandramouli, SP, Bajan, PM, Kruegel, C, Vigna, G, Zhao, Z, Doupe, A & Ahn, G-J 2018, Measuring E-mail header injections on the world wide web. in Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018. vol. Part F137816, Association for Computing Machinery, pp. 1647-1656, 33rd Annual ACM Symposium on Applied Computing, SAC 2018, Pau, France, 4/9/18. https://doi.org/10.1145/3167132.3167308
Chandramouli SP, Bajan PM, Kruegel C, Vigna G, Zhao Z, Doupe A et al. Measuring E-mail header injections on the world wide web. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018. Vol. Part F137816. Association for Computing Machinery. 2018. p. 1647-1656 https://doi.org/10.1145/3167132.3167308
Chandramouli, Sai Prashanth ; Bajan, Pierre Marie ; Kruegel, Christopher ; Vigna, Giovanni ; Zhao, Ziming ; Doupe, Adam ; Ahn, Gail-Joon. / Measuring E-mail header injections on the world wide web. Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018. Vol. Part F137816 Association for Computing Machinery, 2018. pp. 1647-1656
@inproceedings{24db9a9025d24aaf90ee499e1977ee9c,
title = "Measuring E-mail header injections on the world wide web",
abstract = "E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail. While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.",
keywords = "E-mail header injection, Software security",
author = "Chandramouli, {Sai Prashanth} and Bajan, {Pierre Marie} and Christopher Kruegel and Giovanni Vigna and Ziming Zhao and Adam Doupe and Gail-Joon Ahn",
year = "2018",
month = "4",
day = "9",
doi = "10.1145/3167132.3167308",
language = "English (US)",
volume = "Part F137816",
pages = "1647--1656",
booktitle = "Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - Measuring E-mail header injections on the world wide web

AU - Chandramouli, Sai Prashanth

AU - Bajan, Pierre Marie

AU - Kruegel, Christopher

AU - Vigna, Giovanni

AU - Zhao, Ziming

AU - Doupe, Adam

AU - Ahn, Gail-Joon

PY - 2018/4/9

Y1 - 2018/4/9

N2 - E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail. While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.

AB - E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail. While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.

KW - E-mail header injection

KW - Software security

UR - http://www.scopus.com/inward/record.url?scp=85050528797&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85050528797&partnerID=8YFLogxK

U2 - 10.1145/3167132.3167308

DO - 10.1145/3167132.3167308

M3 - Conference contribution

AN - SCOPUS:85050528797

VL - Part F137816

SP - 1647

EP - 1656

BT - Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018

PB - Association for Computing Machinery

ER -