CyberCherney

About Tags Notes

Email Parsing Exploitation

Summary

Email RFCs contain many ways to encode and decode information while still being a valid email. This vulnerability appears when email parsers allow for these encoding methods and parse them on the backend, allowing the attacker to sign up for email addresses they do not own while also receiving emails to verify those accounts on a different address. Depending on the backend parser a simple space, a quote, a left bracket, or an explanation mark is needed to bypass restrictions and/or send the email to a different email than intended.

Methodology

When looking for Email Parsing Exploitation ask/try the following:

  • Are there any restricted email domains for the site?
  • try a polyglot to induce an error !#$%&'*+\/=?^_{|}~-collab\@psres.net
  • try a source route
    • foo%psres.net(@example.com foo%psres.net@example.com
  • try adding a space before the @
  • try UTF-7 encoding to encode the @ or characters of a regular address
    • =?utf-7?q?&AGYAbwBvAGIAYQBy-?=@psres.net will become foobar@psres.net if its decoded
    • try other encodings as well, the burp plugin Hackvertor can turn the example tags into encodings
  • try adding a > before a specific domain
    • try additionally adding <" after that
  • try punycode encoding
  • try adding html tags at the end of email addresses with encoding
    • if successful maybe try grabbing CSRF token vis CSS could lead to RCE

Capabilities

Remote Code Execution
XSS
Authorization Bypass

Found In

Account Registration

Tools/Examples

Original paper on the subject, if uncertain on the attack vector read this https://portswigger.net/research/splitting-the-email-atom

burp plugin for encoding

<@_unicode_overflow(0x100,'...')>@</@_unicode_overflow>
<@_unicode_overflow_variations(0xfff,'...')>@</@_unicode_overflow_variations>
foo<@_encoded_word_encode('...')>@<@/_encoded_word_encode>example.com
<@_encoded_word_decode('...')>=41=42=43<@/_encoded_word_decode>
<@_email_utf7('...')><@/_email_utf7>
<@_email_utf7_decode('...')><@/_email_utf7_decode>
<@_encode_word_meta('iso-8859-1','...')><@/_encode_word_meta>