creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/testing-for-email-header-injection/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

56 lines
1.7 KiB
Markdown
Raw Blame History

# API Reference: Testing for Email Header Injection
## CRLF Encoding Variants
| Encoding | Representation | Description |
|----------|---------------|-------------|
| `%0A` | LF | URL-encoded line feed |
| `%0D%0A` | CRLF | URL-encoded carriage return + line feed |
| `%0D` | CR | URL-encoded carriage return |
| `%250A` | Double-encoded LF | Bypasses single decode |
| `\n` | Raw LF | Direct newline character |
## Injectable Headers
| Header | Impact | Severity |
|--------|--------|----------|
| Cc: | Send copy to attacker | High |
| Bcc: | Hidden copy to attacker | High |
| From: | Email spoofing | Medium |
| Reply-To: | Phishing redirect | Medium |
| Subject: | Subject override | Low |
| Content-Type: | Body injection | High |
| To: | Additional recipients | High |
## Common Injection Points
| Endpoint | Field | Risk |
|----------|-------|------|
| /contact | email, name, subject | Header injection |
| /share | to, from | Recipient injection |
| /invite | email | Mass invitation abuse |
| /forgot-password | email | CC token to attacker |
| /api/send-email | to, subject, body | Full control |
## Attack Scenarios
| Scenario | Technique |
|----------|-----------|
| Spam relay | Inject BCC with mass recipients |
| Phishing | Override From/Reply-To |
| Password reset hijack | CC reset token email |
| Content override | MIME boundary injection |
## Python Libraries
| Library | Version | Purpose |
|---------|---------|---------|
| `requests` | >=2.28 | HTTP form submission |
| `json` | stdlib | Report generation |
## References
- OWASP Email Injection: https://owasp.org/www-community/attacks/Email_Injection
- swaks SMTP testing: https://www.jetmore.org/john/code/swaks/
- mailhog: https://github.com/mailhog/MailHog
Reference in New Issue View Git Blame Copy Permalink