Go Email Headers Forgery
Description
This detector identifies email header forgery vulnerabilities in Go applications using email libraries. It flags cases where email messages created through go-mail or gomail libraries are sent via DialAndSend without proper validation, allowing attackers to inject malicious headers and potentially perform email spoofing, phishing, or other email-based attacks.
Detection Strategy
• Scans Go source code for imports of email libraries: github.com/wneessen/go-mail or gopkg.in/gomail.v2
• Identifies function calls ending with .DialAndSend method used to send emails
• Checks if the first argument to DialAndSend is an email message object created by NewMsg or NewMessage constructors
• Analyzes the data flow path from message creation to sending to detect if header forgery conditions exist
• Reports vulnerability when unsafe header manipulation is detected in the path between message construction and sending
Vulnerable code example
package main
import (
"net/http"
mail "github.com/wneessen/go-mail"
)
func handleEmail(w http.ResponseWriter, r *http.Request) {...✅ Secure code example
package main
import (
"log"
"net/http"
"strings"
mail "github.com/wneessen/go-mail"
)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.