Measuring E-mail header injections on the world wide web

Sai Prashanth Chandramouli, Pierre Marie Bajan, Christopher Kruegel, Giovanni Vigna, Ziming Zhao, Adam Doupe, Gail-Joon Ahn

Research output: Chapter in Book/Report/Conference proceedingConference contribution

9 Scopus citations


E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail. While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.

Original languageEnglish (US)
Title of host publicationProceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018
PublisherAssociation for Computing Machinery
Number of pages10
ISBN (Electronic)9781450351911
StatePublished - Apr 9 2018
Event33rd Annual ACM Symposium on Applied Computing, SAC 2018 - Pau, France
Duration: Apr 9 2018Apr 13 2018

Publication series

NameProceedings of the ACM Symposium on Applied Computing


Other33rd Annual ACM Symposium on Applied Computing, SAC 2018


  • E-mail header injection
  • Software security

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'Measuring E-mail header injections on the world wide web'. Together they form a unique fingerprint.

Cite this