Casual_blog/content/hacking/BugBounty_101_email_subscription.md

+++
title = 'BugBounty l0l: Email Subscriptions'
date = 2024-12-18
image = 'https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffluentcrm.com%2Fwp-content%2Fuploads%2F2022%2F08%2FScreenshot_18-2.jpg&f=1&nofb=1&ipt=858152baa98a508508a431682741b98b40e1ccecde013176cd08d3072cfea690&ipo=images'
+++

## Spam

![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffluentcrm.com%2Fwp-content%2Fuploads%2F2022%2F08%2FScreenshot_18-2.jpg&f=1&nofb=1&ipt=858152baa98a508508a431682741b98b40e1ccecde013176cd08d3072cfea690&ipo=images)

The most common vuln in email subscription that I've seen is spamming:

If you found any email subscription form, try to spam yourself by subscribing multiple times:

```sh
email@example.com (your original mail box)
email+random1@example.com (messages will be sent to 'email@example.com')
email+random2@example.com
...
```

Why company don't want it? It's possible to use this vuln to make all their emails appear in spam folder by-default by spamming innocent users which will report it as spam. 

### No CSRF and captcha

If you can subscribe via cURL copied command and rate limit is low, then you can get bounty for that depending on the bugbounty rules.

To do that - select request in devTools/Burp and copy as cURL command. Edit email and send request.


## HTML Injection

If you can inject HTML into additional email subscription fields (like name) (those fields oftem have characters limit), than you can create legitemate looking spam/scam/phishing email with like:
```html
# Base payload
<h1><a href=https://blog.ca.sual.in>YOU WIN LOTTERY
# use bit.ly to make link more shorter
<h1><a href=https://bit.ly/random>YOU WIN LOTTERY
# In some browsers/email clients you may not need https declaration
<h1><a href=blog.ca.sual.in>YOU WIN LOTTERY
# You can close </a></h1> tags so it would be more legal
```

Needless to say, if you are not character limited, then you can rewrite email to your liking


---

Other email hacks:  
https://book.hacktricks.xyz/pentesting-web/email-injections
new posts 2024-12-12 12:48:15 +00:00			`+++`
fixes and posts 2024-12-17 11:32:34 +00:00			`title = 'BugBounty l0l: Email Subscriptions'`
new posts 2024-12-12 12:48:15 +00:00			`date = 2024-12-18`
fixes and posts 2024-12-17 11:32:34 +00:00			`image = 'https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffluentcrm.com%2Fwp-content%2Fuploads%2F2022%2F08%2FScreenshot_18-2.jpg&f=1&nofb=1&ipt=858152baa98a508508a431682741b98b40e1ccecde013176cd08d3072cfea690&ipo=images'`
new posts 2024-12-12 12:48:15 +00:00			`+++`

fixes and posts 2024-12-17 11:32:34 +00:00			`## Spam`

			`![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffluentcrm.com%2Fwp-content%2Fuploads%2F2022%2F08%2FScreenshot_18-2.jpg&f=1&nofb=1&ipt=858152baa98a508508a431682741b98b40e1ccecde013176cd08d3072cfea690&ipo=images)`

new posts 2024-12-12 12:48:15 +00:00			`The most common vuln in email subscription that I've seen is spamming:`

			`If you found any email subscription form, try to spam yourself by subscribing multiple times:`

			```sh
			`email@example.com (your original mail box)`
			`email+random1@example.com (messages will be sent to 'email@example.com')`
			`email+random2@example.com`
			`...`
			```

			`Why company don't want it? It's possible to use this vuln to make all their emails appear in spam folder by-default by spamming innocent users which will report it as spam.`

fixes and posts 2024-12-17 11:32:34 +00:00			`### No CSRF and captcha`

			`If you can subscribe via cURL copied command and rate limit is low, then you can get bounty for that depending on the bugbounty rules.`

			`To do that - select request in devTools/Burp and copy as cURL command. Edit email and send request.`


			`## HTML Injection`

			`If you can inject HTML into additional email subscription fields (like name) (those fields oftem have characters limit), than you can create legitemate looking spam/scam/phishing email with like:`
			```html
			`# Base payload`
			`<h1><a href=https://blog.ca.sual.in>YOU WIN LOTTERY`
			`# use bit.ly to make link more shorter`
			`<h1><a href=https://bit.ly/random>YOU WIN LOTTERY`
			`# In some browsers/email clients you may not need https declaration`
			`<h1><a href=blog.ca.sual.in>YOU WIN LOTTERY`
			`# You can close </a></h1> tags so it would be more legal`
			```

			`Needless to say, if you are not character limited, then you can rewrite email to your liking`


			`---`

new posts 2024-12-12 12:48:15 +00:00			`Other email hacks:`
			`https://book.hacktricks.xyz/pentesting-web/email-injections`