[iw] - Fwd: Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls
Richard Forno
rick at rickf.org
Tue Aug 13 00:31:46 UTC 2024
> Begin forwarded message:
>
> From: Monty Solomon <monty at roscom.com>
> Subject: Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls
> Date: August 11, 2024 at 00:23:10 EDT
>
> Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls
>
> Websites often parse users' email addresses to identify their organization. Unfortunately, parsing emails is far from straightforward thanks to a collection of ancient RFCs that everyone knows are crazy. You can probably see where this is going…
>
> In this session, I'll introduce techniques for crafting RFC-compliant email addresses that bypass virtually all defenses leading to broken assumptions, parser discrepancies and emails being routed to wildly unexpected destinations. I'll show you how to exploit multiple applications and libraries to spoof email domains, access internal systems protected by 'Zero Trust', and bypass employee-only registration barriers.
>
> https://www.blackhat.com/us-24/briefings/schedule/#splitting-the-email-atom-exploiting-parsers-to-bypass-access-controls-39193
>
> Slides
> http://i.blackhat.com/BH-US-24/Presentations/US24-Heyes-Splitting-the-Email-Atom-Exploiting-Parsers-to-Bypass-Access-Controls-Wednesday.pdf
>
> Paper
> http://i.blackhat.com/BH-US-24/Presentations/US24-Heyes-Splitting-the-Email-Atom-Exploiting-Parsers-to-Bypass-Access-Controls-wp.pdf
>
> Splitting the email atom: exploiting parsers to bypass access controls
> https://portswigger.net/research/splitting-the-email-atom
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sticklist.org/pipermail/iw_sticklist.org/attachments/20240812/aa0ea44e/attachment.htm>
More information about the Iw
mailing list