Websites often parse users' email addresses to identify their organization. Unfortunately, parsing emails is far from straightforward thanks to a collection of ancient RFCs that everyone knows are crazy. You can probably see where this is going...
In this session, I'll introduce techniques for crafting RFC-compliant email addresses that bypass virtually all defenses leading to broken assumptions, parser discrepancies and emails being routed to wildly unexpected destinations. I'll show you how to exploit multiple applications and libraries to spoof email domains, access internal systems protected by 'Zero Trust', and bypass employee-only registration barriers.
Then I'll introduce another class of attack - harmless-looking input transformed into malicious payloads by unwitting libraries, leading to yet more misrouted emails, and blind CSS injection on a well-known target.
I'll leave you with a full methodology and toolkit to identify and exploit your own targets, plus a CTF to develop your new skillset.
Gareth Heyes, PortSwigger researcher, is probably best known for smashing the AngularJS sandbox to pieces and creating super-elegant XSS vectors. He is the author of JavaScript for hackers. In his daily life at PortSwigger, Gareth can often be found creating new XSS vectors, and researching new techniques to attack web applications. He has a keen interest in hacking CSS to do wonderful, unexpected things and can often be seen experimenting with 3D pure CSS rooms, games and taking markup languages to the limit on his website. He's also the author of PortSwigger's XSS Cheat Sheet. In his spare time, he loves writing new BApp extensions such as Hackvertor.
