Java Unsafe Parameter Tampering

Description

Detects unsafe email recipient handling in Java applications where untrusted HTTP request parameters are directly used to set email recipients through MimeMessage.setRecipient(). This vulnerability could allow attackers to perform email header injection attacks or send emails to unauthorized recipients, potentially leading to spam or information disclosure.

Weakness:

199 - Lack of data validation - Emails

Category: Unexpected Injection

Detection Strategy

• Application imports both javax.mail/jakarta.mail (MimeMessage, InternetAddress) and servlet HTTP request handling libraries

• Code calls the setRecipient() method on a MimeMessage object

• The recipient parameter passed to setRecipient() originates from an HTTP request parameter without proper validation

• The data flow shows direct usage of request parameters in email recipient setting without sanitization

Vulnerable code example

import javax.servlet.http.HttpServletRequest;
import javax.mail.internet.*;

public void sendEmail(HttpServletRequest request) throws MessagingException {
    Session session = Session.getDefaultInstance(new Properties());
    MimeMessage message = new MimeMessage(session);
    
    // Vulnerable: Unvalidated user input directly used in email address...

✅ Secure code example

import javax.servlet.http.HttpServletRequest;
import javax.mail.internet.*;
import java.util.Properties;

public void sendEmail(HttpServletRequest request) throws ServletException, MessagingException {
    // Validate email before using it
    String userEmail = request.getParameter("email");
    validateEmail(userEmail); // Validate email format and presence...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.