Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

When creating an account with an email, it is common practice to verify the email by sending an email to this user. In some functionality, it is common for applications to give specific access depending on the email being used, such as Slack workspaces.

What if you could break the parsing of the email verification? You could get credentials for something complicated! The application being tested used AWS Simple Email Service (SES) in order to send verification details but verified the domain using something else.

After a bunch of tests, the author came up with an input that worked (after a BUNCH of tests) differently on the two services: <aaa@bbb.com>ccc@ddd.com. AWS SES sends the message to the aaa@bbb.com but website used ddd.com as the domain for verification!

Using this discrepancy in the parsing, an email can be sent to one domain, but verified at another. This allows a bypass in the domain verification on the site.

After finding this one vulnerability, the author decided to look at a plethora of different email address parsing libraries to see which combinations would be vulnerability. From combinations of Python to PHP to NodeJS, the author found one other combination that was vulnerable and two that might be.

This is another classic discrepancy between two parsers leading to a security issue. This never gets old to read about!