E-mail Header Injection Vulnerabilities
- Sai Prashanth Chandramouli
Sai Prashanth Chandramouli has a Masters in Computer Science from Arizona State University, with a thesis on E-mail Header Injection vulnerability, which he developed under the guidance of Dr. Adam Doupé. His interests include web security and computational creativity.
Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, UnitedStates of America
Dr. Ziming Zhao is an assistant research professor in the School of Computing, Informatics, and Decision Systems Engineering, Ira A. Fulton Schools of Engineering, Arizona State University. His research interests include system and network security and cybercrime analysis. Dr. Zhao received a Ph.D in Computer Science from Arizona State University (ASU). He is a member of IEEE and the ACM.
Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, UnitedStates of America
Dr. Adam Doupé is an Assistant Professor in the School of Computing, Informatics, and Decision Systems Engineering at Arizona State University. His research interests include vulnerability analysis, web security, mobile security, and hacking competitions, which has been supported by the National Science Foundation.
Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, UnitedStates of America
andGail-Joon AhnDr. Gail-Joon Ahn is currently a professor of computer science and engineering in the School of Computing, Informatics, and Decision Systems Engineering and the director of Center for Cybersecurity and Digital Forensics, Arizona State University. His research interests include information and systems security, vulnerability and risk management, access control, and security architecture for distributed systems, which has been supported by National Science Foundation, Department of Defense, Office of Naval Research, Army Research Office, Department of Justice, and private sectors including Allstate, Bank of America, Hewlett Packard, Microsoft, Robert Wood Johnson Foundation, Cisco, GoDaddy, and Intel. He received the Department of Energy Early Career Investigator Award and the Educator of the Year Award given by the Federal Information Systems Security Educators Association in 2005.
Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, UnitedStates of America
Abstract
E-mail Header Injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mailmessages. E-mail Header Injection is possible when the mailing script fails to check for the presence of e-mail headers in user input (eitherform fields or URL parameters). The vulnerability exists in the reference implementation of the built-in mailfunctionality in popular languages such as PHP, Java, Python, and Ruby. With the proper injection string, thisvulnerability can be exploited to inject additional headers, modify existing headers, and alter the content of thee-mail.
About the authors
Sai Prashanth Chandramouli has a Masters in Computer Science from Arizona State University, with a thesis on E-mail Header Injection vulnerability, which he developed under the guidance of Dr. Adam Doupé. His interests include web security and computational creativity.
Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, UnitedStates of America
Dr. Ziming Zhao is an assistant research professor in the School of Computing, Informatics, and Decision Systems Engineering, Ira A. Fulton Schools of Engineering, Arizona State University. His research interests include system and network security and cybercrime analysis. Dr. Zhao received a Ph.D in Computer Science from Arizona State University (ASU). He is a member of IEEE and the ACM.
Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, UnitedStates of America
Dr. Adam Doupé is an Assistant Professor in the School of Computing, Informatics, and Decision Systems Engineering at Arizona State University. His research interests include vulnerability analysis, web security, mobile security, and hacking competitions, which has been supported by the National Science Foundation.
Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, UnitedStates of America
Dr. Gail-Joon Ahn is currently a professor of computer science and engineering in the School of Computing, Informatics, and Decision Systems Engineering and the director of Center for Cybersecurity and Digital Forensics, Arizona State University. His research interests include information and systems security, vulnerability and risk management, access control, and security architecture for distributed systems, which has been supported by National Science Foundation, Department of Defense, Office of Naval Research, Army Research Office, Department of Justice, and private sectors including Allstate, Bank of America, Hewlett Packard, Microsoft, Robert Wood Johnson Foundation, Cisco, GoDaddy, and Intel. He received the Department of Energy Early Career Investigator Award and the Educator of the Year Award given by the Federal Information Systems Security Educators Association in 2005.
Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, UnitedStates of America
©2017 Walter de Gruyter Berlin/Boston
Articles in the same Issue
- Frontmatter
- Editorial
- Vulnerability analysis
- Thematic Issue: Vulnerability Analysis
- On the misuse of graphical user interface elements to implement security controls
- E-mail Header Injection Vulnerabilities
- 64-Bit Migration Vulnerabilities
- Cross-architecture bug search in binary executables
- Exploitation as code reuse: On the need of formalization
- Distinguished Dissertations
- Pattern-based methods for vulnerability discovery
Articles in the same Issue
- Frontmatter
- Editorial
- Vulnerability analysis
- Thematic Issue: Vulnerability Analysis
- On the misuse of graphical user interface elements to implement security controls
- E-mail Header Injection Vulnerabilities
- 64-Bit Migration Vulnerabilities
- Cross-architecture bug search in binary executables
- Exploitation as code reuse: On the need of formalization
- Distinguished Dissertations
- Pattern-based methods for vulnerability discovery
