# Exploiting Parser Flaws for Access Bypasses

{% embed url="<https://portswigger.net/research/splitting-the-email-atom#creating-email-domain-confusion>" %}

### The Story

Gareth stumbled into this by pasting special chars into an email during testing, noticing Sendmail misrouted it via UUCP (`oastify.com!collab\@example.com` went to oastify.com). This sparked a hunt for parser flaws. Using fuzzers and Burp tools, he crafted attacks to bypass domain-based auth (GitHub, Zendesk, GitLab) or get RCE (Joomla via Punycode). It’s like slipping through security by speaking an ancient email dialect apps don’t understand.

***

### Key Concepts

* **Email Complexity**: Emails can have quotes (`"@"@example.com`), comments (`(foo)user@domain`), escapes, or encodings (encoded-word, UTF-7, base64). Archaic protocols like UUCP (`host!user`) or source routes (`user%domain@example.com`) flip routing.
* **Parser Discrepancies**: App validation (e.g., regex for one @) differs from library/mailer parsing (e.g., Ruby’s Mail gem, PHP IDN). Attackers craft emails that pass validation but route to their domain.
* **Splitting**: Generate extra @, >, or nulls to make app see `attacker@victim.com` but mailer send to `victim@attacker.com`.
* **Encodings**:
  * **Unicode Overflows**: High Unicode chars (e.g., ❀ % 256 = @) bypass filters.
  * **Encoded-Word**: `=?utf-8?q?=41=42=43?=` decodes to ABC. Layer with UTF-7/base64 for stealth.
  * **Punycode**: Malformed decoding (e.g., `xn--0049` → ",") creates unexpected chars like `<style`.

***

### Exploits

* **Sendmail/Postfix**: UUCP (`oastify.com!collab\@example.com`) or source routes (`collab%psres.net(@example.com`) misroute to attacker’s domain.
* **GitHub**: `=?x?q?=40=3e=00foo?=@psres.net` splits email (generates @>null), spoofs domains for Cloudflare Zero Trust bypass.
* **Zendesk**: `=?utf-8?q?"=22=3c22=40=3e=00foo?=@psres.net` uses encoded quotes to bypass support desk restrictions.
* **GitLab**: `=?iso-8859-1?q?=40=3e_foo?=@psres.net` spoofs enterprise/web app registration.
* **Joomla**: Malformed Punycode (`xn--style-123` → `<style`) + CSS exfil (@import) grabs CSRF token, leads to RCE via template edit.
* **PHPMailer**: Decodes encoded-word in name, potential XSS (untapped here).

***

### Bug Bounty Guide

**Target**: Apps with email-based auth (SSO, registration, support desks). Ruby (Mail gem) or PHP (IDN/PHPMailer) are hot spots. **Steps**:

1. **Probe**: Send encoded-word (`=?utf-8?q?collab?=@victim.com`) or Punycode (`xn--0049`) to test parsing. Use Burp Collaborator for SMTP/DNS logs.
2. **Fuzz**: Use Turbo Intruder (script in repo) for encoded-word splits; Punycode fuzzer for malformed chars. Try @, >, null, spaces.
3. **Exploit**: Craft split (e.g., add `=40=3e=00`) to spoof domains. Chain to access restricted areas or inject (e.g., Joomla style tag).
4. **Tools**: Hackvertor (tags for unicode/encoded-word), Turbo Intruder, Punycode fuzzer (GitHub: portswigger/splitting-the-email-atom). Practice on Web Security Academy CTF.
5. **Tips**: Start with probes, check SMTP for decoding, test layered encodings (UTF-7+base64). Report bypasses (critical, \~$5k+). Avoid rate limits with sleep timers. **Defense**: Block encoded-word (`=[?].+[?]=`), validate post-SSO, avoid domain-only auth.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sallam.gitbook.io/sec-88/web-appsec/exploiting-parser-flaws-for-access-bypasses.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.