+++ title = 'BugBounty l0l: Email Subscriptions' date = 2024-12-18 image = 'https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffluentcrm.com%2Fwp-content%2Fuploads%2F2022%2F08%2FScreenshot_18-2.jpg&f=1&nofb=1&ipt=858152baa98a508508a431682741b98b40e1ccecde013176cd08d3072cfea690&ipo=images' +++ ## Spam ![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffluentcrm.com%2Fwp-content%2Fuploads%2F2022%2F08%2FScreenshot_18-2.jpg&f=1&nofb=1&ipt=858152baa98a508508a431682741b98b40e1ccecde013176cd08d3072cfea690&ipo=images) The most common vuln in email subscription that I've seen is spamming: If you found any email subscription form, try to spam yourself by subscribing multiple times: ```sh email@example.com (your original mail box) email+random1@example.com (messages will be sent to 'email@example.com') email+random2@example.com ... ``` Why company don't want it? It's possible to use this vuln to make all their emails appear in spam folder by-default by spamming innocent users which will report it as spam. ### No CSRF and captcha If you can subscribe via cURL copied command and rate limit is low, then you can get bounty for that depending on the bugbounty rules. To do that - select request in devTools/Burp and copy as cURL command. Edit email and send request. ## HTML Injection If you can inject HTML into additional email subscription fields (like name) (those fields oftem have characters limit), than you can create legitemate looking spam/scam/phishing email with like: ```html # Base payload

YOU WIN LOTTERY # use bit.ly to make link more shorter

YOU WIN LOTTERY # In some browsers/email clients you may not need https declaration

YOU WIN LOTTERY # You can close

tags so it would be more legal ``` Needless to say, if you are not character limited, then you can rewrite email to your liking --- Other email hacks: https://book.hacktricks.xyz/pentesting-web/email-injections