1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. Splitting the email atom: exploiting parsers to bypass access controls

Splitting the email atom: exploiting parsers to bypass access controls

Presented at DEF CON 32 (2024), Aug. 11, 2024, 10 a.m. (45 minutes).

Websites often parse users' email addresses to identify their organisation. Unfortunately, parsing emails is far from straightforward thanks to a collection of ancient RFCs that everyone knows are crazy. You can probably see where this is going… In this session, I'll introduce techniques for crafting RFC-compliant email addresses that bypass virtually all defences leading to broken assumptions, parser discrepancies and emails being routed to wildly unexpected destinations. I'll show you how to exploit multiple applications and libraries to spoof email domains, access internal systems protected by 'Zero Trust', and bypass employee-only registration barriers. Then I'll introduce another class of attack - harmless-looking input transformed into malicious payloads by unwitting libraries, leading to yet more misrouted emails, and blind CSS injection on a well-known target. I'll leave you with a full methodology and toolkit to identify and exploit your own targets, plus a CTF to develop your new skillset. - Email parsing: - [link](https://www.jochentopf.com/email/address.html) - [link](https://nathandavison.com/blog/exploiting-email-address-parsing-with-aws-ses) - [link](https://medium.com/@fs0c131y/tchap-the-super-not-secure-app-of-the-french-government-84b31517d144) - CSS Exfiltration: - [link](https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf) - [link](https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b) - Unicode: - [link](https://www.sonarsource.com/blog/10-unknown-security-pitfalls-for-python/#:~:text=8.%20Unicode%20Case%20Collision)

Presenters:

  • Gareth Heyes - Researcher at PortSwigger
    PortSwigger researcher Gareth Heyes is probably best known for smashing the AngularJS sandbox to pieces and creating super-elegant XSS vectors. He is the author of JavaScript for hackers. In his daily life at PortSwigger, Gareth can often be found creating new XSS vectors, and researching new techniques to attack web applications. He has a keen interest in hacking CSS to do wonderful, unexpected things and can often be seen experimenting with 3D pure CSS rooms, games and taking markup languages to the limit on his website. He's also the author of PortSwigger's XSS Cheat Sheet. In his spare time, he loves writing new BApp extensions such as Hackvertor.

Similar Presentations: