Sending emails is security-sensitive. For example, it has led in the past to the following vulnerabilities:
Emails can create multiple vulnerabilities:
Information exposure
Emails often contain sensitive information which might be exposed to an attacker.
Injecting dangerous content
Emails can contain html and javascript code, thus they can be used for XSS attacks.
Email Header Injection
This is one of the most common attacks.
Email fields such as subject
, to
, cc
, bcc
, from
are set in Email "headers". Those
headers are separated by CR
("carriage return" often represented as \r
) or LF
("line feed" often represented as
\n
) characters.
If an unsanitized input is provided to a header field, it becomes vulnerable to Email Header Injection attacks. An attacker can then add fields in the header or even modify the message.
For example, providing the following value to the From
field
me@example.com\nCc:injectedrecipient@otherexample.com\nBcc:yetanother@myexample.com,andagain@thisisdangerous.net
would result in injecting two additional fields (CC and BCC):
FROM: me@example.com CC: injectedrecipient@otherexample.com BCC: yetanother@myexample.com,andagain@thisisdangerous.net
This rule raises an issue when an API sending emails is called.
You are at risk if you answered yes to any of those questions.
import javax.mail.*; import javax.mail.internet.MimeMessage; public class Main { public static void sendEmail (Session session, String subject) throws MessagingException{ Message message = new MimeMessage(session); // Sensitive // For example the setSubject method is vulnerable to Header injection before // version 1.5.6 of javamail message.setSubject(subject); // ... } }