加雷斯·海耶斯_分裂邮件原子利用解析器绕过访问控制_WP.pdf

1、Splitting the email atomexploiting parsers to bypass access controlsGareth Heyes-garethheyes-garethheyes.co.ukSome websites parse email addresses to extract the domain and infer whichorganisation the owner belongs to.This pattern makes email-address parserdiscrepancies critical.Predicting which doma

2、in an email will be routed to should besimple,but is actually ludicrously difficult-even for valid,RFC-compliant addresses.In this paper Im going to show you how to turn email parsing discrepancies into accesscontrol bypasses and even RCE.This paper is accompanied by a free online CTF,so youll be ab

3、le to try out your new skill setimmediately.Splitting the email atom:exploiting parsers to bypass access controlshttp:/localhost:5000/template.html1 of 2617/07/2024,12:25Outline Introduction Creating email domain confusion Parser discrepancies Unicode overflows Encoded-word Encoded-word case studies

4、 Github Zendesk Gitlab PHPMailer Punycode What is Punycode?Malformed Punycode Trying to exploit Joomla Exploiting Joomla Methodology/Tooling Generating email splitting attacks Automate exploitation of Encoded-word Fuzzing for malformed Punycode Defence Materials CTF Takeaways Timeline ReferencesSpli

5、tting the email atom:exploiting parsers to bypass access controlshttp:/localhost:5000/template.html2 of 2617/07/2024,12:25IntroductionSome of the RFCs that dictate the email address format have been around for over 50 years,they have been mangled together to form a standard for email addresses that

6、is way toolenient.Emails can have quoted values,comments,escapes and various encodings.If youare faced with the job of writing an email parser technically you should follow the specificationbut because of all this complexity its a difficult job.Web applications farm this complexity outto email parsi