{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,20]],"date-time":"2025-08-20T13:02:48Z","timestamp":1755694968371,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":60,"publisher":"ACM","license":[{"start":{"date-parts":[[2018,4,9]],"date-time":"2018-04-09T00:00:00Z","timestamp":1523232000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2018,4,9]]},"DOI":"10.1145\/3167132.3167308","type":"proceedings-article","created":{"date-parts":[[2018,7,3]],"date-time":"2018-07-03T13:54:10Z","timestamp":1530626050000},"page":"1647-1656","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["Measuring E-mail header injections on the world wide web"],"prefix":"10.1145","author":[{"given":"Sai Prashanth","family":"Chandramouli","sequence":"first","affiliation":[{"name":"Arizona State University"}]},{"given":"Pierre-Marie","family":"Bajan","sequence":"additional","affiliation":[{"name":"IRT SystemX"}]},{"given":"Christopher","family":"Kruegel","sequence":"additional","affiliation":[{"name":"University of California"}]},{"given":"Giovanni","family":"Vigna","sequence":"additional","affiliation":[{"name":"University of California"}]},{"given":"Ziming","family":"Zhao","sequence":"additional","affiliation":[{"name":"Arizona State University"}]},{"given":"Adam","family":"Doup\u00e9","sequence":"additional","affiliation":[{"name":"Arizona State University"}]},{"given":"Gail-Joon","family":"Ahn","sequence":"additional","affiliation":[{"name":"Arizona State University and Samsung Research"}]}],"member":"320","published-online":{"date-parts":[[2018,4,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Apache Nutch. http:\/\/nutch.apache.org\/  Apache Nutch. http:\/\/nutch.apache.org\/"},{"key":"e_1_3_2_1_2_1","unstructured":"ContactForm7. https:\/\/wordpress.org\/plugins\/contact-form-7  ContactForm7. https:\/\/wordpress.org\/plugins\/contact-form-7"},{"key":"e_1_3_2_1_3_1","unstructured":"Vexatious Tendencies. https:\/\/vexatioustendencies.com\/wordpress-plugin-vulnerability-dump-part-2\/ (2014)  Vexatious Tendencies. https:\/\/vexatioustendencies.com\/wordpress-plugin-vulnerability-dump-part-2\/ (2014)"},{"key":"e_1_3_2_1_4_1","unstructured":"CVE - Common Vulnerabilities and Exposures (CVE) (2016) http:\/\/cve.mitre.org\/  CVE - Common Vulnerabilities and Exposures (CVE) (2016) http:\/\/cve.mitre.org\/"},{"key":"e_1_3_2_1_5_1","unstructured":"ICANN WHOIS Data. https:\/\/whois.icann.org\/en (2016)  ICANN WHOIS Data. https:\/\/whois.icann.org\/en (2016)"},{"volume-title":"Malware and URL Scanner","year":"2016","author":"VirusTotal","key":"e_1_3_2_1_6_1"},{"key":"e_1_3_2_1_7_1","unstructured":"Alexa Rankings. data.alexa.com\/data?cli=10&url=%URL% (2017)  Alexa Rankings. data.alexa.com\/data?cli=10&url=%URL% (2017)"},{"key":"e_1_3_2_1_8_1","unstructured":"BuiltWith Website Data. https:\/\/builtwith.com (2017)  BuiltWith Website Data. https:\/\/builtwith.com (2017)"},{"key":"e_1_3_2_1_9_1","unstructured":"Wappalyzer. https:\/\/wappalyzer.com\/ (2017)  Wappalyzer. https:\/\/wappalyzer.com\/ (2017)"},{"key":"e_1_3_2_1_10_1","unstructured":"Acunetix: AcuMonitor: For detecting Email Header Injection Blind XSS and SSRF - Acunetix. http:\/\/www.acunetix.com\/vulnerability-scanner\/acumonitor-blind-xss-detection\/  Acunetix: AcuMonitor: For detecting Email Header Injection Blind XSS and SSRF - Acunetix. http:\/\/www.acunetix.com\/vulnerability-scanner\/acumonitor-blind-xss-detection\/"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/966389.966390"},{"volume-title":"Thomas","year":"2007","author":"Allman E.","key":"e_1_3_2_1_12_1"},{"volume-title":"https:\/\/commons.apache.org\/proper\/commons-email","year":"2016","author":"Apache Commons Email","key":"e_1_3_2_1_13_1"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.27"},{"volume-title":"Black-box Testing: Techniques for Functional Testing of Software and Systems","year":"1995","author":"Beizer B.","key":"e_1_3_2_1_15_1"},{"key":"e_1_3_2_1_16_1","unstructured":"BestWebSoft: Contact Form by BestWebSoft WordPress Plugins. https:\/\/wordpress.org\/plugins\/contact-form-plugin\/ (2016)  BestWebSoft: Contact Form by BestWebSoft WordPress Plugins. https:\/\/wordpress.org\/plugins\/contact-form-plugin\/ (2016)"},{"volume-title":"Oestreicher","year":"1998","author":"Bhide C.W.","key":"e_1_3_2_1_17_1"},{"key":"e_1_3_2_1_18_1","first-page":"292","volume-title":"Keromytis","author":"Boyd S.W.","year":"2004"},{"key":"e_1_3_2_1_19_1","unstructured":"Calin B.: Email Header Injection Web Vulnerability - Acunetix. https:\/\/www.acunetix.com\/blog\/articles\/email-header-injection-web-vulnerability-detection\/ (2013)  Calin B.: Email Header Injection Web Vulnerability - Acunetix. https:\/\/www.acunetix.com\/blog\/articles\/email-header-injection-web-vulnerability-detection\/ (2013)"},{"issue":"2","key":"e_1_3_2_1_20_1","first-page":"67","volume":"59","author":"Chandramouli S.P.","year":"2017","journal-title":"Information Technology"},{"volume-title":"Internet Message Format - RFC 2142","year":"1997","author":"Crocker D.","key":"e_1_3_2_1_21_1"},{"key":"e_1_3_2_1_22_1","first-page":"523","volume-title":"Vigna","author":"Doup\u00e9 A.","year":"2012"},{"key":"e_1_3_2_1_23_1","first-page":"111","volume-title":"Vigna","author":"Doup\u00e9 A.","year":"2010"},{"volume-title":"Wallach","year":"1997","author":"Felten E.W.","key":"e_1_3_2_1_24_1"},{"volume-title":"Leach","year":"1999","author":"Fielding R.","key":"e_1_3_2_1_25_1"},{"volume-title":"Machniak","year":"2016","author":"Hagenbuch C.","key":"e_1_3_2_1_26_1"},{"volume-title":"Proceedings of the IEEE Symposium on Secure Software Engineering (2006)","author":"Halfond W.G.","key":"e_1_3_2_1_27_1"},{"volume-title":"Full Disclosure: JavaMail SMTP Header Injection via method setSubject {CSNC-2014-001}","year":"2014","author":"Herzog A.","key":"e_1_3_2_1_28_1"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/775152.775174"},{"key":"e_1_3_2_1_30_1","unstructured":"Internet Live Stats: www.internetlivestats.com (2016)  Internet Live Stats: www.internetlivestats.com (2016)"},{"volume-title":"Myers","year":"2006","author":"Jakobsson M.","key":"e_1_3_2_1_31_1"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242654"},{"volume-title":"Winter","year":"2006","author":"Johns M.","key":"e_1_3_2_1_33_1"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/1135777.1135817"},{"volume-title":"{DOM Based Cross Site Scripting or XSS of the Third Kind} Web Security Articles - WebApp Sec","year":"2005","author":"Klein A.","key":"e_1_3_2_1_35_1"},{"key":"e_1_3_2_1_36_1","unstructured":"Kohler D.: damonkohler: Email Injection. http:\/\/www.damonkohler.com\/2008\/12\/email-injection.html (2008)  Kohler D.: damonkohler: Email Injection. http:\/\/www.damonkohler.com\/2008\/12\/email-injection.html (2008)"},{"volume-title":"Zwicky","year":"2015","author":"Kucherawy M.","key":"e_1_3_2_1_37_1"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSE.2009.372"},{"key":"e_1_3_2_1_39_1","unstructured":"Mohamed A.: PHP Email Injection Example - InfoSec Resources. http:\/\/resources.infosecinstitute.com\/email-injection\/ (2013)  Mohamed A.: PHP Email Injection Example - InfoSec Resources. http:\/\/resources.infosecinstitute.com\/email-injection\/ (2013)"},{"key":"e_1_3_2_1_40_1","unstructured":"Nicol J.: Securing PHP Contact Forms. http:\/\/jonathannicol.com\/blog\/2006\/12\/09\/securing-php-contact-forms\/ (2006)  Nicol J.: Securing PHP Contact Forms. http:\/\/jonathannicol.com\/blog\/2006\/12\/09\/securing-php-contact-forms\/ (2006)"},{"key":"e_1_3_2_1_41_1","unstructured":"OWASP\n  : https:\/\/www.owasp.org\/index.php\/OWASP_Top_10  OWASP: https:\/\/www.owasp.org\/index.php\/OWASP_Top_10"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2480362.2480699"},{"key":"e_1_3_2_1_43_1","unstructured":"PHP-Manual: PHP mail - Send mail. http:\/\/php.net\/manual\/en\/function.mail.php (2016)  PHP-Manual: PHP mail - Send mail. http:\/\/php.net\/manual\/en\/function.mail.php (2016)"},{"key":"e_1_3_2_1_44_1","unstructured":"PHPMailer: https:\/\/github.com\/PHPMailer\/PHPMailer  PHPMailer: https:\/\/github.com\/PHPMailer\/PHPMailer"},{"volume-title":"Prevent Contact Form Spam Email Header Injection | Storm Consultancy Web Design Bath","year":"2008","author":"Pope A.","key":"e_1_3_2_1_45_1"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/MITP.2005.37"},{"volume-title":": Internet Message Format - RFC 5322","year":"2008","author":"Resnick P.W.","key":"e_1_3_2_1_48_1"},{"key":"e_1_3_2_1_49_1","unstructured":"Ruby Mail Gem: https:\/\/rubygems.org\/gems\/mail  Ruby Mail Gem: https:\/\/rubygems.org\/gems\/mail"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICICM.2013.18"},{"volume-title":"Wong","year":"2006","author":"Schlitt W.","key":"e_1_3_2_1_51_1"},{"key":"e_1_3_2_1_52_1","unstructured":"Email Injection - Secure PHP Wiki. http:\/\/securephpwiki.com\/index.php\/EmailInjection (2010)  Email Injection - Secure PHP Wiki. http:\/\/securephpwiki.com\/index.php\/EmailInjection (2010)"},{"key":"e_1_3_2_1_53_1","first-page":"357","volume-title":"Suel","author":"Shkapenyuk V.","year":"2002"},{"volume-title":"Pinto","year":"2011","author":"Stuttard D.","key":"e_1_3_2_1_54_1"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/1111320.1111070"},{"key":"e_1_3_2_1_56_1","unstructured":"SwiftMailer: http:\/\/swiftmailer.org\/  SwiftMailer: http:\/\/swiftmailer.org\/"},{"volume-title":"SMTP Injection via recipient email addresses. MBSD White Paper","series-title":"December 2015","author":"Terada T.","key":"e_1_3_2_1_57_1"},{"key":"e_1_3_2_1_58_1","unstructured":"Tobozo: Mail headers injections with PHP. http:\/\/www.phpsecure.info\/v2\/article\/MailHeadersInject.en.php (2004)  Tobozo: Mail headers injections with PHP. http:\/\/www.phpsecure.info\/v2\/article\/MailHeadersInject.en.php (2004)"},{"volume-title":"February","year":"2016","key":"e_1_3_2_1_59_1"},{"volume-title":"Computer Security Applications Conference, ACSAC 2007 (Dec 2007)","author":"Yan J.","key":"e_1_3_2_1_60_1"},{"volume-title":"Zanchetta","year":"2005","author":"Zanero S.","key":"e_1_3_2_1_61_1"}],"event":{"name":"SAC 2018: Symposium on Applied Computing","sponsor":["SIGAPP ACM Special Interest Group on Applied Computing"],"location":"Pau France","acronym":"SAC 2018"},"container-title":["Proceedings of the 33rd Annual ACM Symposium on Applied Computing"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3167132.3167308","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3167132.3167308","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:27:00Z","timestamp":1750213620000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3167132.3167308"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,4,9]]},"references-count":60,"alternative-id":["10.1145\/3167132.3167308","10.1145\/3167132"],"URL":"https:\/\/doi.org\/10.1145\/3167132.3167308","relation":{},"subject":[],"published":{"date-parts":[[2018,4,9]]},"assertion":[{"value":"2018-04-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}