0% found this document useful (0 votes)

430 views80 pages

You Ve Got Pwned

Inti De Ceukelaire presents on exploiting email systems. He discusses how email addresses can contain complex payloads that enable attacks like XSS, SQL injection, and header injection. He also shows how bypassing strict email validators through SSO chains and integrations. Finally, he demonstrates tools for email-based reconnaissance and warns against actual spamming without permission.

Uploaded by

aaaaaa

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

430 views80 pages

You Ve Got Pwned

Uploaded by

aaaaaa

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 80

exploiting e-mail systems

Inti De Ceukelaire - @securinti

@securinti - @intigriti
Mandatory introduction slide for credibility

👨💻 Inti De Ceukelaire

🇧🇪 Even in Belgium, that’s a weird name

💼 Community manager at Intigriti

❤ Live hacking events

🏆 HackerOne h1-702 MVH

✉ I like e-mails

💰 $75K+ in e-mail related bug bounties

@securinti - @intigriti
Why I like e-mails

💌 Confidential information

🔓 Password reset links

⚙ Complex logic

⛓ Integrated into other systems

🗝 Outdated security

🌐 It’s everywhere

@securinti - @intigriti
E-mail address
[email protected]

local part domain

@securinti - @intigriti
The local part (john.doe)

● Latin letters A-Z and a-z ([email protected])

● Digits 0 to 9
○ [email protected]
● Dot . (Not first character, not last one, no consecutive dots
○ [email protected]
● Printable characters !#$%&'*+-/=?^_`{|}~
○ alice&[email protected]
● International characters (above U+007F, encoded as UTF-8)
○ jöhn.døê@gmail.com

@securinti - @intigriti
The local part, quoted (“john.doe”)

BUT, if quoted (“john.doe”@example.com):

● Extra characters: "(),:;<>@[\]

○ “\"”@example.com (quotes and backslashes need a backslash)
○ “@”@example.com
● Spaces, tabs
○ " "@example.com
● Even emoji’s
○ "😀"@gmail.com

@securinti - @intigriti
Special case: wildcards & comments

● +, - and {} in rare occasions can be used for tagging

● Ignored by most e-mail servers

○ E.g. [email protected] → [email protected]

● Comments between parentheses () at the beginning or the end

○ E.g. john.doe(intigriti)@example.com → [email protected]

@securinti - @intigriti
The domain part (example.com)

● More strict

● Latin letters (uppercase / lowercase)

● Digits

● Hyphen (-), if not first or last character

● Square brackets to indicate IP address

○ john.doe@[127.0.0.1]

○ john.doe@[IPv6:2001:db8::1]

@securinti - @intigriti
Let’s construct
some payloads!

@securinti - @intigriti
These are all valid e-mail addresses
XSS test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com

Template "<%= 7 * 7 %>"@example.com

injection test+(${{7*7}})@example.com

SQLi "' OR 1=1 -- '"@example.com

"mail'); DROP TABLE users;--"@example.com

SSRF [email protected] (thanks @d0nutptr)

john.doe@[127.0.0.1]

Parameter pollution victim&[email protected]

(Email) "%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
Header injection "[email protected]>\r\nRCPT TO:<victim+"@test.com

Wildcard abuse %@example.com

@securinti - @intigriti
Defeating e-mail address domain whitelists

● inti(;[email protected];)@whitelisted.com

→ inti(;

→ [email protected] → my inbox!

→ ;)@whitelisted.com

● [email protected](@whitelisted.com)

● inti+(@whitelisted.com;)@inti.io

@securinti - @intigriti
HTML injection in gmail

Email from [email protected] to:

inti.de.ceukelaire+(<b>bold<u>underline<s>strike<br/>newline<strong>strong<sup>sup<sub>sub)@gmail.com

@securinti - @intigriti
This led to wormable XSS in
multiple popular e-mail clients

@securinti - @intigriti
Bypassing
strict e-mail validators

@securinti - @intigriti
Bypassing strict e-mail validators through SSO chains & integrations

@securinti - @intigriti
Differences in SSO providers

XSS payloads
in email addresses?

YES

@securinti - @intigriti
Bypassing strict e-mail validators through SSO chains & integrations

NO XSS here
But I found something better.
@securinti - @intigriti
Differences in SSO providers

XSS payloads
Unverified e-mails?
in email addresses?

NO NO

YES NO

NO NO

YES YES*

*verification status is sent within the idp response, but not mandatory
@securinti - @intigriti
@securinti - @intigriti
@securinti - @intigriti
@securinti - @intigriti
@securinti - @intigriti
Doesn’t work to hijack GitLab accounts 😔

@securinti - @intigriti
@securinti - @intigriti
@securinti - @intigriti
My actual forum account:
[email protected] (confirmed)

@securinti - @intigriti
Attacker account (confirmation bypassed) My actual forum account:
[email protected] (“confirmed”) [email protected] (confirmed)

@securinti - @intigriti
FA RE
A
K
A C E GI AC L FO
CO
C O TLA
UN UN RUM
T B T

@securinti - @intigriti
FA
K
A C E GI RE
A
C O TLA AC L FO
UN
T B CO
UN RUM
T

@securinti - @intigriti
AC RE
TA C O U N A
AC L FO
KE
OV T CO
ER UN RUM
! T

@securinti - @intigriti
@securinti - @intigriti
Shoutout to Ron Chan (@ngalog)

@securinti - @intigriti
Let’s start sending
e-mails

@securinti - @intigriti
arrives bounces

@securinti - @intigriti
⚠ PSA ⚠
Don’t be a spammer
Seek permission
Reduce noise
State your intentions

@securinti - @intigriti
Verifying the existence of e-mail addresses (NO SPAM)
● VRFY SMPT command
VRFY Smith
R: 251 User not local; will forward to <[email protected]>

● SETTING RCPT TO

@securinti - @intigriti
Tools and API’s

@securinti - @intigriti
E-mail based recon

Customer Support Internal ticketing Misc.

support@ jira@ print@

feedback@ asana@ slack@

hello@ bug(s)@ upload@

service@ it@ test@

help@ tickets@ tweet@

... ... ...

@securinti - @intigriti
E-mail based recon

Customer Support Internal ticketing Misc.

support@ jira@ print@

feedback@ asana@ slack@

hello@ bug(s)@ upload@

service@ it@ test@

help@ tickets@ tweet@

... ... ...

⇒ Ticket Trick ⇒ Atlassian misconfigurations ⇒ Weird stuff

@securinti - @intigriti
E-mail based recon - test@

@securinti - @intigriti
E-mail based recon - free Slack invite

Customer Support Internal ticketing Misc.

support@ jira@ print@

feedback@ asana@ slack@

hello@ bug(s)@ upload@

service@ it@ test@

help@ tickets@ tweet@

... ... ...

⇒ Ticket Trick ⇒ Atlassian misconfigurations ⇒ Weird stuff

@securinti - @intigriti
E-mail based recon - using printer as inbox

Customer Support Internal ticketing Misc.

support@ jira@ print@

feedback@ asana@ slack@

hello@ bug(s)@ upload@

service@ it@ test@

help@ tickets@ tweet@

... ... ...

⇒ Ticket Trick ⇒ Atlassian misconfigurations ⇒ Weird stuff

@securinti - @intigriti
E-mail based recon - print@ 🖨

● On-site testing
● Public printers
● Social engineering
● Only works if code
is written out in text
(no buttons like Slack)

@securinti - @intigriti
E-mail based recon - autoresponders

@securinti - @intigriti
Blind attacks through e-mail
1. Blind XSS in HTML e-mails
a. Include template injection payloads!

2. Blind template injection

3. Blind remote code execution
a. Include blind XSS + phpinfo()
b. Send as .php/.phtml/... attachment

@securinti - @intigriti
arrives bounces

@securinti - @intigriti
@securinti - @intigriti
What I see What the owner sees

Google
forwarder

Owner identity unknown Includes:

- Sharing link
- Title

@securinti - @intigriti
What I see What the owner sees

Google
forwarder

Inbox full

Owner identity unknown Includes:

- Sharing link
- Title

@securinti - @intigriti
What I see: What the owner sees
bounce with data
owner
email

document
title
Includes:
- Sharing link
- Title

+ Sharing link in mail body @securinti - @intigriti

Invoking a
bounce

@securinti - @intigriti
SPF
Sender Policy Framework

DKIM
DomainKeys Identified Mail

@securinti - @intigriti
SPF
Sender Policy Framework
y sb
ounc
e

lwa
A

DMARC
DomainKeys Identified Mail

@securinti - @intigriti
Forwarders in real life
1. [email protected] (de-anonymise ransomware)
[email protected] [email protected]

bounce

Unmaske
d!

*This is a reconstruction
@securinti - @intigriti
Forwarders in real life
2. User e-mail aliasses:

[email protected]
intidc @wearehackerone.com
intidc @bugcrowdninja.com

@securinti - @intigriti
Hacking our own @intigriti.me forwarder

@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environments

saas-app.com

saasapp.alice.com saasapp.tools.john.io