Go Email Content Forgery
Description
This detector identifies email content forgery vulnerabilities in Go applications where user-controlled input can manipulate email messages without proper validation or sanitization. Attackers can potentially inject malicious content, headers, or modify email structure to perform phishing attacks or bypass security controls.
Detection Strategy
• Scans Go source code that imports email libraries: github.com/wneessen/go-mail, gopkg.in/gomail.v2, or net/smtp
• Identifies direct SMTP calls using smtp.SendMail where the message body (5th parameter) contains unsafe user input
• Detects DialAndSend method calls on email objects where the message parameter traces back to unsafe mail constructors (NewMsg, NewMessage)
• Triggers when email message content can be influenced by untrusted sources through unsafe data flow paths
• Reports the specific function call location where the vulnerable email sending operation occurs
Vulnerable code example
package main
import (
"net/http"
"net/smtp"
)
func sendEmail(w http.ResponseWriter, r *http.Request) {...✅ Secure code example
package main
import (
"html"
"net/http"
"net/smtp"
)
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.