Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Bypassing access controls using email address parsing discrepancies

EXPERT

This lab validates email addresses to prevent attackers from registering addresses from unauthorized domains. There is a parser discrepancy in the validation logic and library used to parse email addresses.

To solve the lab, exploit this flaw to register an account and delete carlos.

Required knowledge

To solve this lab, you'll need to understand the techniques described in the Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls whitepaper by Gareth Heyes of the PortSwigger Research team.

ACCESS THE LAB

Solution

Identify the registration restriction

  1. Open the lab and click Register.

  2. Attempt to register an account with the email foo@exploit-server.net.

  3. Notice that the application blocks the request and displays an error message stating that the email domain must be ginandjuice.shop. This indicates the server enforces a domain check during registration.

Investigate encoding discrepancies

  1. Try to register an account with the following email:

    =?iso-8859-1?q?=61=62=63?=foo@ginandjuice.shop.

    This is the email abcfoo@ginandjuice.shop, with the abc portion encoded using Q encoding, which is part of the "encoded-word" standard.

  2. Notice that the registration is blocked with the error: "Registration blocked for security reasons."

  3. Try to register an account with the following UTF-8 encoded email:

    =?utf-8?q?=61=62=63?=foo@ginandjuice.shop.

  4. Notice that the registration is blocked with the same error message. This suggests that the server is detecting and rejecting attempts to manipulate the registration email with encoded word encoding. It is possible that less common encoding formats may not be picked up by the server's validation.

  5. Try to register an account with the following UTF-7 encoded email:

    =?utf-7?q?&AGEAYgBj-?=foo@ginandjuice.shop.

  6. Notice that this attempt doesn't trigger an error. This suggests that the server doesn't recognize UTF-7 encoding as a security threat. Because UTF-7 encoding appears to bypass the server's validation, you may be able to use it to craft an attack that tricks the server into sending a confirmation email to your exploit server email address while appearing to still satisfy the ginandjuice.shop domain requirement.

Exploit the vulnerability using UTF-7

  1. Register an account with the following UTF-7 encoded email:

    =?utf-7?q?attacker&AEA-[YOUR-EXPLOIT-SERVER_ID]&ACA-?=@ginandjuice.shop.

    This is the string attacker@[YOUR-EXPLOIT-SERVER-ID] ?=@ginandjuice.shop, with the @ symbol and space encoded in UTF-7.

  2. Click Email client. Notice that you have been sent a registration validation email. This is because the encoded email address has passed validation due to the @ginandjuice.shop portion at the end, but the email server has interpreted the registration email as attacker@[YOUR-EXPLOIT-SERVER-ID].

  3. Click the confirmation link to activate the account.

Gain admin access

  1. Click My account and log in using the details you registered.

  2. Click Admin panel to access the list of users.

  3. Delete the carlos user to solve the lab.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find business logic vulnerabilities using Burp Suite

Try for free