Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls (Dec. 19th)
Thursday, December 19th, 2024: 2:00 PM to 3:00 PM
Websites often parse users' email addresses to identify their organization. Unfortunately, parsing emails is far from straightforward thanks to a collection of ancient RFCs that everyone knows are crazy.
Virtual
You can probably see where this is going...
In this session, I'll introduce techniques for crafting RFC-compliant email addresses that bypass virtually all defenses leading to broken assumptions, parser discrepancies and emails being routed to wildly unexpected destinations. I'll show you how to exploit multiple applications and libraries to spoof email domains, access internal systems protected by 'Zero Trust', and bypass employee-only registration barriers.
Then I'll introduce another class of attack - harmless-looking input transformed into malicious payloads by unwitting libraries, leading to yet more misrouted emails, and blind CSS injection on a well-known target.
Hosted by blackhat