Header Injection

Header injection is a class of vulnerabilities in Web applications, which occur when the header of a protocol is generated dynamically by addition of insufficient tested user input.

In HTTP header injection can, for example, to HTTP response splitting and cross-site scripting lead. In the dynamic creation of e-mails via a web application, a header injection attack can be used to write other recipients in an e-mail to send for example, Spam (E-mail injection).

header injection


Example: E-mail Injection
The vulnerability is that the data entered in a contact data will be passed without further examination to the mail server. The attacker will benefit here is that the header (e-mail) information is available on line at the beginning of the e-mail and do some programming languages for web applications itself did not review the data when sending an e-mail. The operation of the e-mail injection is one-line entries, such as the subject of the request to fill with several lines of information. Here, for example, additional receivers are set, also as “CC” or “BCC”, even if the programmer has a recipient address of the web application fixed.

<? Php
$ _REQUEST = Array (
"Name_absender" => "of
Content-Type: text / plain; charset = "us-ascii \" 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: mail spam
 bcc: spam@example.com 
 ec36ff5aa45502446284c4f3ce2b3896. "

It is $_REQUEST for the array that contains all the variables to the HTTP request was given. Which in this case, only the variable name_absender. This is a string of 215 characters, which extends over nine lines. Build the web application the name of the sender in the header of an e-mail, the e-mail is sent accidentally also to the address at the provider example.com. This is still not sending out spam themselves, but about the test, whether your contact is vulnerable to the vulnerability. The line with the 32 characters will probably be a hash value with which the attacker has encoded the URL of the unprotected contact form in order to identify them later.

For preventing header injection must be carefully considered user input, mainly depending on the context in force metacharacters. So in general, the individual header fields are separated by the newline sequence CRLF. Therefore, it is in the user input to mask or filter out. In the HTTP and SMTP, for example, to mask the URL encoding is used in SMTP in addition, the Quoted-printable encoding.

In PHP versions 4.4.2 or 5.1.2 since the injection of the header automatically prevents function. In the mail function, however this must still be backed up manually, however.

Header injection can lead to cross-site scripting HTTP response splitting, or lead, so it would be possible to transmit malicious code and / or the Web server to check the website. By appropriate defensive measures, the careful checking of user input, a header injection completely prevented and we can all look forward to receiving less spam messages.