Exploiting Parser Flaws for Access Bypasses
The Story
Gareth stumbled into this by pasting special chars into an email during testing, noticing Sendmail misrouted it via UUCP (oastify.com!collab\@example.com
went to oastify.com). This sparked a hunt for parser flaws. Using fuzzers and Burp tools, he crafted attacks to bypass domain-based auth (GitHub, Zendesk, GitLab) or get RCE (Joomla via Punycode). It’s like slipping through security by speaking an ancient email dialect apps don’t understand.
Key Concepts
Email Complexity: Emails can have quotes (
"@"@example.com
), comments ((foo)user@domain
), escapes, or encodings (encoded-word, UTF-7, base64). Archaic protocols like UUCP (host!user
) or source routes (user%domain@example.com
) flip routing.Parser Discrepancies: App validation (e.g., regex for one @) differs from library/mailer parsing (e.g., Ruby’s Mail gem, PHP IDN). Attackers craft emails that pass validation but route to their domain.
Splitting: Generate extra @, >, or nulls to make app see
attacker@victim.com
but mailer send tovictim@attacker.com
.Encodings:
Unicode Overflows: High Unicode chars (e.g., ❀ % 256 = @) bypass filters.
Encoded-Word:
=?utf-8?q?=41=42=43?=
decodes to ABC. Layer with UTF-7/base64 for stealth.Punycode: Malformed decoding (e.g.,
xn--0049
→ ",") creates unexpected chars like<style
.
Exploits
Sendmail/Postfix: UUCP (
oastify.com!collab\@example.com
) or source routes (collab%psres.net(@example.com
) misroute to attacker’s domain.GitHub:
=?x?q?=40=3e=00foo?=@psres.net
splits email (generates @>null), spoofs domains for Cloudflare Zero Trust bypass.Zendesk:
=?utf-8?q?"=22=3c22=40=3e=00foo?=@psres.net
uses encoded quotes to bypass support desk restrictions.GitLab:
=?iso-8859-1?q?=40=3e_foo?=@psres.net
spoofs enterprise/web app registration.Joomla: Malformed Punycode (
xn--style-123
→<style
) + CSS exfil (@import) grabs CSRF token, leads to RCE via template edit.PHPMailer: Decodes encoded-word in name, potential XSS (untapped here).
Bug Bounty Guide
Target: Apps with email-based auth (SSO, registration, support desks). Ruby (Mail gem) or PHP (IDN/PHPMailer) are hot spots. Steps:
Probe: Send encoded-word (
=?utf-8?q?collab?=@victim.com
) or Punycode (xn--0049
) to test parsing. Use Burp Collaborator for SMTP/DNS logs.Fuzz: Use Turbo Intruder (script in repo) for encoded-word splits; Punycode fuzzer for malformed chars. Try @, >, null, spaces.
Exploit: Craft split (e.g., add
=40=3e=00
) to spoof domains. Chain to access restricted areas or inject (e.g., Joomla style tag).Tools: Hackvertor (tags for unicode/encoded-word), Turbo Intruder, Punycode fuzzer (GitHub: portswigger/splitting-the-email-atom). Practice on Web Security Academy CTF.
Tips: Start with probes, check SMTP for decoding, test layered encodings (UTF-7+base64). Report bypasses (critical, ~$5k+). Avoid rate limits with sleep timers. Defense: Block encoded-word (
=[?].+[?]=
), validate post-SSO, avoid domain-only auth.
Last updated
Was this helpful?