abstract.tex

\begin{abstract}
	E-Mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-Mail injection is possible when the mailing script fails to check for the presence of e-mail headers in user input (either form fields or URL parameters). The vulnerability exists in the reference implementation of the built-in \dq{\texttt{mail}} functionality in popular languages like PHP, Java, Python, and Ruby\@. With the proper injection string, this vulnerability can be exploited to inject additional headers and/or modify existing headers in an e-mail message, allowing an attacker to completely alter the content of the e-mail.
	\paragraph{}
	This thesis develops a scalable mechanism to automatically detect E-Mail Header Injection vulnerability and uses this mechanism to quantify the prevalence of E\-Mail Header Injection vulnerabilities on the Internet. Using a black-box testing approach, the system crawled \urls\ URLs to find URLs which contained form fields. \forms\ such forms were found by the system, of which \emailforms\ forms contained e-mail fields. The system used this data feed to discern the forms that could be fuzzed with malicious payloads. Amongst the \fuzzed\ forms tested, \recd\ forms were found to be injectable with more malicious payloads. The system tested \malfuzzed\ of these and was able to find \success\ vulnerable URLs across \domains\ domains, which proves that the threat is widespread and deserves future research attention.

\end{abstract}