Мануал/Книга [BlackHat USA 2024] Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls

[weaver]

Description

Websites often parse users' email addresses to identify their organization. Unfortunately, parsing emails is far from straightforward thanks to a collection of ancient RFCs that everyone knows are crazy. You can probably see where this is going…

In this session, I'll introduce techniques for crafting RFC-compliant email addresses that bypass virtually all defenses leading to broken assumptions, parser discrepancies and emails being routed to wildly unexpected destinations. I'll show you how to exploit multiple applications and libraries to spoof email domains, access internal systems protected by 'Zero Trust', and bypass employee-only registration barriers.

Then I'll introduce another class of attack - harmless-looking input transformed into malicious payloads by unwitting libraries, leading to yet more misrouted emails, and blind CSS injection on a well-known target.

I'll leave you with a full methodology and toolkit to identify and exploit your own targets, plus a CTF to develop your new skillset.

blackhat.com/us-24/briefings/schedule/#splitting-the-email-atom-exploiting-parsers-to-bypass-access-controls-39193

slides

https://i.blackhat.com/BH-US-24/Presentations/US24-Heyes-Splitting-the-Email-Atom-Exploiting-Parsers-to-Bypass-Access-Controls-Wednesday.pdf

whitepaper

http://i.blackhat.com/BH-US-24/Presentations/US24-Heyes-Splitting-the-Email-Atom-Exploiting-Parsers-to-Bypass-Access-Controls-wp.pdf

git
https://github.com/portswigger/splitting-the-email-atom