0x11 - Email Field Payload Injection

Did you know that email address fields can also be vulnerable to:

• Cross-Site Scripting (XSS)
• Template Injection (SSTI)
• Server-Side Request Forgery (SSRF)
• Parameter Pollution
• Header Injection

99% of modern web applications contain an email field along their features

Whether it's within the register, login, contact forms or user details.

However most of the time, this attack path is overlooked due to assumptions that an email address cannot contain certain characters.

Which is not really true according to the RFC.

If you want to know more, I highly recommend the RTFR (Tread the bleeping RFC) talk on YouTube about email injection -> https://www.youtube.com/watch?app=desktop&v=4ZsTKvfP1g0


How to do it

  1. Find an email field in the target app

  2. Personally I recommend your own's profile email especially if it reflected in the UI

  3. Update the value using the Email Injection payloads in the file attached

  4. Review the result after each update

  5. Note that running intruder might not be optimal because it might overwrite previous values

Credit to Inti De Ceukelaire and Intigriti for their amazing research


References