Skip to content
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg March 15, 2017

E-mail Header Injection Vulnerabilities

  • Sai Prashanth Chandramouli

    Sai Prashanth Chandramouli has a Masters in Computer Science from Arizona State University, with a thesis on E-mail Header Injection vulnerability, which he developed under the guidance of Dr. Adam Doupé. His interests include web security and computational creativity.

    Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, United States of America

    , Ziming Zhao

    Dr. Ziming Zhao is an assistant research professor in the School of Computing, Informatics, and Decision Systems Engineering, Ira A. Fulton Schools of Engineering, Arizona State University. His research interests include system and network security and cybercrime analysis. Dr. Zhao received a Ph.D in Computer Science from Arizona State University (ASU). He is a member of IEEE and the ACM.

    Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, United States of America

    , Adam Doupé

    Dr. Adam Doupé is an Assistant Professor in the School of Computing, Informatics, and Decision Systems Engineering at Arizona State University. His research interests include vulnerability analysis, web security, mobile security, and hacking competitions, which has been supported by the National Science Foundation.

    Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, United States of America

    EMAIL logo
    and Gail-Joon Ahn

    Dr. Gail-Joon Ahn is currently a professor of computer science and engineering in the School of Computing, Informatics, and Decision Systems Engineering and the director of Center for Cybersecurity and Digital Forensics, Arizona State University. His research interests include information and systems security, vulnerability and risk management, access control, and security architecture for distributed systems, which has been supported by National Science Foundation, Department of Defense, Office of Naval Research, Army Research Office, Department of Justice, and private sectors including Allstate, Bank of America, Hewlett Packard, Microsoft, Robert Wood Johnson Foundation, Cisco, GoDaddy, and Intel. He received the Department of Energy Early Career Investigator Award and the Educator of the Year Award given by the Federal Information Systems Security Educators Association in 2005.

    Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, United States of America

Abstract

E-mail Header Injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail Header Injection is possible when the mailing script fails to check for the presence of e-mail headers in user input (either form fields or URL parameters). The vulnerability exists in the reference implementation of the built-in mail functionality in popular languages such as PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to inject additional headers, modify existing headers, and alter the content of the e-mail.

About the authors

Sai Prashanth Chandramouli

Sai Prashanth Chandramouli has a Masters in Computer Science from Arizona State University, with a thesis on E-mail Header Injection vulnerability, which he developed under the guidance of Dr. Adam Doupé. His interests include web security and computational creativity.

Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, United States of America

Ziming Zhao

Dr. Ziming Zhao is an assistant research professor in the School of Computing, Informatics, and Decision Systems Engineering, Ira A. Fulton Schools of Engineering, Arizona State University. His research interests include system and network security and cybercrime analysis. Dr. Zhao received a Ph.D in Computer Science from Arizona State University (ASU). He is a member of IEEE and the ACM.

Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, United States of America

Adam Doupé

Dr. Adam Doupé is an Assistant Professor in the School of Computing, Informatics, and Decision Systems Engineering at Arizona State University. His research interests include vulnerability analysis, web security, mobile security, and hacking competitions, which has been supported by the National Science Foundation.

Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, United States of America

Gail-Joon Ahn

Dr. Gail-Joon Ahn is currently a professor of computer science and engineering in the School of Computing, Informatics, and Decision Systems Engineering and the director of Center for Cybersecurity and Digital Forensics, Arizona State University. His research interests include information and systems security, vulnerability and risk management, access control, and security architecture for distributed systems, which has been supported by National Science Foundation, Department of Defense, Office of Naval Research, Army Research Office, Department of Justice, and private sectors including Allstate, Bank of America, Hewlett Packard, Microsoft, Robert Wood Johnson Foundation, Cisco, GoDaddy, and Intel. He received the Department of Energy Early Career Investigator Award and the Educator of the Year Award given by the Federal Information Systems Security Educators Association in 2005.

Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, United States of America

Received: 2016-8-9
Accepted: 2016-11-16
Published Online: 2017-3-15
Published in Print: 2017-4-20

©2017 Walter de Gruyter Berlin/Boston

Downloaded on 19.3.2024 from https://www.degruyter.com/document/doi/10.1515/itit-2016-0039/html
Scroll to top button