C Sharp Parameter Tampering In Email
Description
This detector identifies instances where email message parameters can be manipulated in C# applications that use System.Net.Mail. The vulnerability occurs when untrusted or unsanitized input is used to construct MailMessage objects, potentially allowing attackers to modify email contents, recipients, or other parameters, which could lead to email spoofing or information disclosure.
Detection Strategy
• Check if the System.Net.Mail library is imported in the code
• Look for email sending operations using MailMessage objects
• Verify if the MailMessage object is constructed using untrusted or unsanitized input
• Confirm that the MailMessage object with unsafe input is directly used in a send operation
• Report a vulnerability if unsafe email parameters from user input flow into email sending operations
Vulnerable code example
using System.Net.Mail;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
public class EmailController
{
public IActionResult SendEmail(HttpRequest request)
{...✅ Secure code example
using System.Net.Mail;
using System.Text.RegularExpressions;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
public class EmailController
{
private static readonly Regex ValidEmailPattern = ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.