Exploiting Parser Flaws for Access Bypasses

The Story

Gareth stumbled into this by pasting special chars into an email during testing, noticing Sendmail misrouted it via UUCP (oastify.com!collab\@example.com went to oastify.com). This sparked a hunt for parser flaws. Using fuzzers and Burp tools, he crafted attacks to bypass domain-based auth (GitHub, Zendesk, GitLab) or get RCE (Joomla via Punycode). It’s like slipping through security by speaking an ancient email dialect apps don’t understand.


Key Concepts

  • Email Complexity: Emails can have quotes ("@"@example.com), comments ((foo)user@domain), escapes, or encodings (encoded-word, UTF-7, base64). Archaic protocols like UUCP (host!user) or source routes (user%domain@example.com) flip routing.

  • Parser Discrepancies: App validation (e.g., regex for one @) differs from library/mailer parsing (e.g., Ruby’s Mail gem, PHP IDN). Attackers craft emails that pass validation but route to their domain.

  • Splitting: Generate extra @, >, or nulls to make app see attacker@victim.com but mailer send to victim@attacker.com.

  • Encodings:

    • Unicode Overflows: High Unicode chars (e.g., ❀ % 256 = @) bypass filters.

    • Encoded-Word: =?utf-8?q?=41=42=43?= decodes to ABC. Layer with UTF-7/base64 for stealth.

    • Punycode: Malformed decoding (e.g., xn--0049 → ",") creates unexpected chars like <style.


Exploits

  • Sendmail/Postfix: UUCP (oastify.com!collab\@example.com) or source routes (collab%psres.net(@example.com) misroute to attacker’s domain.

  • GitHub: =?x?q?=40=3e=00foo?=@psres.net splits email (generates @>null), spoofs domains for Cloudflare Zero Trust bypass.

  • Zendesk: =?utf-8?q?"=22=3c22=40=3e=00foo?=@psres.net uses encoded quotes to bypass support desk restrictions.

  • GitLab: =?iso-8859-1?q?=40=3e_foo?=@psres.net spoofs enterprise/web app registration.

  • Joomla: Malformed Punycode (xn--style-123<style) + CSS exfil (@import) grabs CSRF token, leads to RCE via template edit.

  • PHPMailer: Decodes encoded-word in name, potential XSS (untapped here).


Bug Bounty Guide

Target: Apps with email-based auth (SSO, registration, support desks). Ruby (Mail gem) or PHP (IDN/PHPMailer) are hot spots. Steps:

  1. Probe: Send encoded-word (=?utf-8?q?collab?=@victim.com) or Punycode (xn--0049) to test parsing. Use Burp Collaborator for SMTP/DNS logs.

  2. Fuzz: Use Turbo Intruder (script in repo) for encoded-word splits; Punycode fuzzer for malformed chars. Try @, >, null, spaces.

  3. Exploit: Craft split (e.g., add =40=3e=00) to spoof domains. Chain to access restricted areas or inject (e.g., Joomla style tag).

  4. Tools: Hackvertor (tags for unicode/encoded-word), Turbo Intruder, Punycode fuzzer (GitHub: portswigger/splitting-the-email-atom). Practice on Web Security Academy CTF.

  5. Tips: Start with probes, check SMTP for decoding, test layered encodings (UTF-7+base64). Report bypasses (critical, ~$5k+). Avoid rate limits with sleep timers. Defense: Block encoded-word (=[?].+[?]=), validate post-SSO, avoid domain-only auth.

Last updated

Was this helpful?