What is E-mail Form Injection? Prevent It
E-mail injection is not like SQL-injection because after giving it's name a look person first think of an interesting thing like SQL-injection and it can be used for spoofing. It is the most easy task. I won't make it long.
Many sites have a contact forum which is called feedback forum. Of course most of them have secure feedback forum but some new site builders can make mistake in it . So a vulnerable feedback forum to E-mail injection can be used for a carbon copy to be sent to another person but not to site . You can find a field in a forum with the name of *YOUR EMAIL*.
A hacker just by entering following string you can use their feedback forum
"[email protected]%0ACc:[email protected]%0ABcc: [email protected]"
The uper injection would make a carbon copy of the subject to be sent to the users id which a hacker will write at the place of *[email protected]* . As you can see that there is also *victim2* which means that the subject of the mail would be sent to another person also the hacker can add as much people as you want . Back to the first statement of the injection there is written *[email protected]* so just a hacker can replace it with any site he wants. It can be FACEBOOK as in this you might change that statement to *[email protected]* .
How to prevent Email form Injection:
Make sure that the email form is protected with captcha and every request made through the contact form is first verified against any spam bots.
Tags: Email Security, Tools
