Recent Posts
Archives

AI BEA CTO Cybersecurity DefCon32 Devoxx DevoxxBE2023 DevoxxBE2024 DevoxxFR DevoxxGR2025 DevoxxGreece2025 DevoxxPL2022 DevoxxPoland DevoxxUK2024 DevoxxUS2017 Docker Eclipse EJB GWT Hibernate IntelliJ IDEA Java Jetty JMS Jonathan Lalou JSF Kotlin Kubernetes Maven Maven 2 Microservices Mule Mule ESB Oracle OxidizeConf2024 Python recommendation RustLang Security Spring SQL Tomcat tutorial Weblogic Weblogic 10

Posts Tagged ‘ParserExploits’

PostHeaderIcon [DefCon32] Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls

Author: Jonathan Lalou

Email addresses, seemingly mundane, harbor complexities that can unravel security controls. Gareth Heyes, a security researcher at PortSwigger, exposes how arcane RFC standards governing email parsing enable attackers to bypass access controls. By crafting RFC-compliant email addresses, Gareth demonstrates spoofing domains, accessing internal systems, and executing blind CSS injection. His toolkit, integrated with Burp Suite, automates these attacks, revealing vulnerabilities in applications and libraries.

Gareth’s exploration, rooted in parser discrepancies, shows how seemingly valid emails can route to unintended destinations, undermining Zero Trust architectures. His methodology and open-source tools empower researchers to probe email-handling systems, urging developers to fortify defenses against these subtle yet potent attacks.

The Chaos of Email RFCs

Gareth begins with the convoluted RFCs defining email syntax, which allow exotic encodings like Unicode overflows and encoded words. These standards, often misunderstood, lead to parser inconsistencies. For example, an email ending in @example.com might route elsewhere due to mishandled Unicode or Punycode, breaking domain-based authorization.

Case studies illustrate real-world exploits, including bypassing employee-only registrations and accessing internal systems by exploiting parser flaws.

Exploiting Parser Discrepancies

Using tools like Hackverter and Turbo Intruder, Gareth automates the generation of malicious email addresses. His Punycode fuzzer, for instance, substitutes placeholders with random characters, uncovering exploitable parser behaviors. A notable exploit involved GitHub’s handling of null characters, found via Turbo Intruder, leading to unauthorized access.

These techniques transform harmless inputs into payloads that misroute emails or inject CSS, compromising application security.

Defensive Strategies

Gareth advocates filtering encoded words and verifying email addresses before use, even from trusted SSO providers. Relying solely on domains for authorization is perilous, as demonstrated by his exploits. Regular expression sanitization and strict validation can mitigate risks, ensuring emails route as intended.

He references influential blog posts by researchers like Pep Villa, emphasizing community knowledge-sharing to bolster defenses.

Tools and Future Research

Gareth’s toolkit, including a Burp Suite wordlist and a vulnerable Joomla Docker instance, enables researchers to replicate his attacks. A Web Security Academy CTF further hones skills in email splitting. He encourages exploring additional parser vulnerabilities, such as those in mailer libraries, to uncover new attack vectors.

Links:

Posted in en-US | Tags: , , , , , , | No Comments »
(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.