You Ve Got Pwned

exploiting e-mail systems
Inti De Ceukelaire - @securinti
@securinti - @intigriti
Mandatory introduction slide for credibility
👨💻 Inti De Ceukelaire
🇧🇪 Even in Belgium, that’s a weird name
💼 Community manager at Intigriti
❤ Live hacking events
🏆 HackerOne h1-702 MVH
✉ I like e-mails
💰 $75K+ in e-mail related bug bounties

Why I like e-mails
💌 Confidential information
🔓 Password reset links
⚙ Complex logic
⛓ Integrated into other systems
🗝 Outdated security
🌐 It’s everywhere
E-mail address
john.smith@example.com
local part domain
The local part (john.doe)
● Latin letters A-Z and a-z (a@example.com)

● Digits 0 to 9
○ 1337@example.com
● Dot . (Not first character, not last one, no consecutive dots
○ john..doe@example.com
● Printable characters !#$%&'*+-/=?^_`{|}~
○ alice&john!@example.com
● International characters (above U+007F, encoded as UTF-8)
○ jöhn.døê@gmail.com
The local part, quoted (“john.doe”)
BUT, if quoted (“john.doe”@example.com):
● Extra characters: "(),:;<>@[\]

○ “\"”@example.com (quotes and backslashes need a backslash)
○ “@”@example.com
● Spaces, tabs
○ " "@example.com
● Even emoji’s
○ "😀"@gmail.com
Special case: wildcards & comments
● +, - and {} in rare occasions can be used for tagging
● Ignored by most e-mail servers
○ E.g. john.doe+intigriti@example.com → john.doe@example.com
● Comments between parentheses () at the beginning or the end
○ E.g. john.doe(intigriti)@example.com → john.doe@example.com
The domain part (example.com)
● More strict
● Latin letters (uppercase / lowercase)
● Digits
● Hyphen (-), if not first or last character
● Square brackets to indicate IP address
○ john.doe@[127.0.0.1]
○ john.doe@[IPv6:2001:db8::1]
Let’s construct
some payloads!
These are all valid e-mail addresses
XSS test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
Template "<%= 7 * 7 %>"@example.com

injection test+(${{7*7}})@example.com
SQLi "' OR 1=1 -- '"@example.com

"mail'); DROP TABLE users;--"@example.com
SSRF john.doe@abc123.burpcollaborator.net (thanks @d0nutptr)

john.doe@[127.0.0.1]
Parameter pollution victim&email=attacker@example.com
(Email) "%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
Header injection "recipient@test.com>\r\nRCPT TO:<victim+"@test.com
Wildcard abuse %@example.com
Defeating e-mail address domain whitelists
● inti(;inti@inti.io;)@whitelisted.com
→ inti(;
→ inti@inti.io → my inbox!
→ ;)@whitelisted.com
● inti@inti.io(@whitelisted.com)
● inti+(@whitelisted.com;)@inti.io
HTML injection in gmail
Email from test@inti.io to:
inti.de.ceukelaire+(<b>bold<u>underline<s>strike<br/>newline<strong>strong<sup>sup<sub>sub)@gmail.com
This led to wormable XSS in
multiple popular e-mail clients
Bypassing
strict e-mail validators
Bypassing strict e-mail validators through SSO chains & integrations
Differences in SSO providers
XSS payloads
in email addresses?
NO
YES
NO
NO
YES
NO XSS here
But I found something better.
Differences in SSO providers
XSS payloads
Unverified e-mails?
in email addresses?
NO NO
YES NO
NO NO
NO NO
YES YES*
*verification status is sent within the idp response, but not mandatory
Doesn’t work to hijack GitLab accounts 😔
My actual forum account:
securinti@wearehackerone.com (confirmed)
Attacker account (confirmation bypassed) My actual forum account:
securinti@wearehackerone.com (“confirmed”) securinti@wearehackerone.com (confirmed)
FA RE
A
K
A C E GI AC L FO
CO
C O TLA
UN UN RUM
T B T
FA RE
A
K
A C E GI AC L FO
CO
C O TLA
UN UN RUM
T B T
FA
K
A C E GI RE
A
C O TLA AC L FO
UN
T B CO
UN RUM
T
AC RE
TA C O U N A
AC L FO
KE
OV T CO
ER UN RUM
! T
Shoutout to Ron Chan (@ngalog)
Let’s start sending
e-mails
arrives bounces
arrives bounces
⚠ PSA ⚠
Don’t be a spammer
Seek permission
Reduce noise
State your intentions
Verifying the existence of e-mail addresses (NO SPAM)
● VRFY SMPT command
VRFY Smith
R: 251 User not local; will forward to <Smith@USC-ISIQ.ARPA>
● SETTING RCPT TO
Tools and API’s
E-mail based recon
Customer Support Internal ticketing Misc.
support@ jira@ print@
feedback@ asana@ slack@
hello@ bug(s)@ upload@
service@ it@ test@
help@ tickets@ tweet@
... ... ...
E-mail based recon
service@ it@ test@
... ... ...
⇒ Ticket Trick ⇒ Atlassian misconfigurations ⇒ Weird stuff
E-mail based recon - test@
E-mail based recon - test@
E-mail based recon - free Slack invite
service@ it@ test@
... ... ...
E-mail based recon - using printer as inbox
service@ it@ test@
... ... ...
E-mail based recon - print@ 🖨
● On-site testing
● Public printers
● Social engineering
● Only works if code
is written out in text
(no buttons like Slack)
E-mail based recon - autoresponders
Blind attacks through e-mail
1. Blind XSS in HTML e-mails
a. Include template injection payloads!
2. Blind template injection

3. Blind remote code execution
a. Include blind XSS + phpinfo()
b. Send as .php/.phtml/... attachment
arrives bounces
What I see What the owner sees
Google
forwarder
Owner identity unknown Includes:

- Sharing link
- Title
What I see What the owner sees
Google
forwarder
Inbox full
Owner identity unknown Includes:

- Sharing link
- Title
What I see: What the owner sees
bounce with data
owner
email
document
title
Includes:
- Sharing link
- Title
+ Sharing link in mail body @securinti - @intigriti

Invoking a
bounce
SPF
Sender Policy Framework
DKIM
DomainKeys Identified Mail
SPF
Sender Policy Framework
y sb
ounc
e
lwa
A
DMARC
DomainKeys Identified Mail
Forwarders in real life
1. admin@shadywebsite.com (de-anonymise ransomware)
backupdata.company@malicious.com ???@gmail.com
bounce
Unmaske
d!
*This is a reconstruction
2. User e-mail aliasses:
intidc@intigriti.me
intidc @wearehackerone.com
intidc @bugcrowdninja.com
Hacking our own @intigriti.me forwarder
Hacking our own @intigriti.me forwarder
3. Branded multi-tenant environments
saas-app.com
saasapp.alice.com saasapp.tools.john.io
Alice John
3. Branded multi-tenant environmets
saas-app.com
t Password reset mail
rese no-reply@john.io
ord
ssw
Pa
Alice John
saas-app.com
ord
ssw
Pa
john@john.io
Alice John
saas-app.com
O
SS
*adds alice to tenant*
Alice John
saas-app.com e
r alic
o
et f Password reset mail
d res no-reply@john.io
r
ss wo
Pa
O
SS
Alice John
saas-app.com
ord
ssw
Pa
alice@alice.com
S SO
Alice John
saas-app.com
rese no-reply@john.io (STRICT DKIM)
ord
ssw
Pa
alice@alice.com
S SO
Alice John
saas-app.com
ord
ssw
Pa
BOUNCE
alice@alice.com
S SO
Alice John
saas-app.com
ord
ssw
Pa
BOUNCE
alice@alice.com
S SO
*has Alice’s password reset*
Alice John
3. Branded multi-tenant environmets: account takeover, no user interaction
saas-app.com
ord
ssw
Pa
BOUNCE
alice@alice.com
*Access to alice.com
using Alice’s account*
Alice John
Thank you!
@intigriti - @securinti

You Ve Got Pwned

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

You Ve Got Pwned

Uploaded by

Copyright:

Available Formats

exploiting e-mail systems

Inti De Ceukelaire - @securinti

🇧🇪 Even in Belgium, that’s a weird name

💼 Community manager at Intigriti

❤ Live hacking events

🏆 HackerOne h1-702 MVH

💰 $75K+ in e-mail related bug bounties

🔓 Password reset links

⛓ Integrated into other systems

local part domain

● Latin letters A-Z and a-z (a@example.com)

BUT, if quoted (“john.doe”@example.com):

● Extra characters: "(),:;<>@[\]

● +, - and {} in rare occasions can be used for tagging

● Ignored by most e-mail servers

○ E.g. john.doe+intigriti@example.com → john.doe@example.com

● Comments between parentheses () at the beginning or the end

○ E.g. john.doe(intigriti)@example.com → john.doe@example.com

● Latin letters (uppercase / lowercase)

● Hyphen (-), if not first or last character

● Square brackets to indicate IP address

Template "<%= 7 * 7 %>"@example.com

SQLi "' OR 1=1 -- '"@example.com

SSRF john.doe@abc123.burpcollaborator.net (thanks @d0nutptr)

Parameter pollution victim&email=attacker@example.com

Wildcard abuse %@example.com

Email from test@inti.io to:

Customer Support Internal ticketing Misc.

support@ jira@ print@

feedback@ asana@ slack@

hello@ bug(s)@ upload@

service@ it@ test@

help@ tickets@ tweet@

... ... ...

Customer Support Internal ticketing Misc.

support@ jira@ print@

feedback@ asana@ slack@

hello@ bug(s)@ upload@

service@ it@ test@

help@ tickets@ tweet@

... ... ...

⇒ Ticket Trick ⇒ Atlassian misconfigurations ⇒ Weird stuff

Customer Support Internal ticketing Misc.

support@ jira@ print@

feedback@ asana@ slack@

hello@ bug(s)@ upload@

service@ it@ test@

help@ tickets@ tweet@

... ... ...

⇒ Ticket Trick ⇒ Atlassian misconfigurations ⇒ Weird stuff

Customer Support Internal ticketing Misc.

support@ jira@ print@

feedback@ asana@ slack@

hello@ bug(s)@ upload@

service@ it@ test@

help@ tickets@ tweet@

... ... ...

⇒ Ticket Trick ⇒ Atlassian misconfigurations ⇒ Weird stuff

2. Blind template injection

Owner identity unknown Includes:

Owner identity unknown Includes:

+ Sharing link in mail body @securinti - @intigriti

You might also like