What is Email Injection
Email injection is a type of vulnerability that occurs when an attacker manipulates email headers in a web application that processes email input without proper validation. This can allow the attacker to send unauthorized emails, often for phishing, spam, or other malicious purposes.
Exploitation
# Whitelist Bypass
inti(;inti.io;)@whitelisted.com
inti(@ ---> ❌
inti@inti.io ---> ✅
)@whitelisted.com ---> ❌
---------------------------------------------------------------------------
# Quotes
- "(),:;<>@[\]
- ""\"@example.com
- "@"@example.com
- " "@example.com
- "😀"@example.com
---------------------------------------------------------------------------
# IP
- john.doe@[127.0.0.1]
- john.doe@[IPv6:2001:db8::1]
---------------------------------------------------------------------------
# Email Encoding
- Check section email atom
More Information
https://book.hacktricks.wiki/en/pentesting-web/email-injections.html (opens in a new tab)