2.0 KiB
+++ title = 'BugBounty l0l: Email Subscriptions' date = 2024-12-18 image = 'https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffluentcrm.com%2Fwp-content%2Fuploads%2F2022%2F08%2FScreenshot_18-2.jpg&f=1&nofb=1&ipt=858152baa98a508508a431682741b98b40e1ccecde013176cd08d3072cfea690&ipo=images' +++
Spam
The most common vuln in email subscription that I've seen is spamming:
If you found any email subscription form, try to spam yourself by subscribing multiple times:
email@example.com (your original mail box)
email+random1@example.com (messages will be sent to 'email@example.com')
email+random2@example.com
...
Why company don't want it? It's possible to use this vuln to make all their emails appear in spam folder by-default by spamming innocent users which will report it as spam.
No CSRF and captcha
If you can subscribe via cURL copied command and rate limit is low, then you can get bounty for that depending on the bugbounty rules.
To do that - select request in devTools/Burp and copy as cURL command. Edit email and send request.
HTML Injection
If you can inject HTML into additional email subscription fields (like name) (those fields oftem have characters limit), than you can create legitemate looking spam/scam/phishing email with like:
# Base payload
<h1><a href=https://blog.ca.sual.in>YOU WIN LOTTERY
# use bit.ly to make link more shorter
<h1><a href=https://bit.ly/random>YOU WIN LOTTERY
# In some browsers/email clients you may not need https declaration
<h1><a href=blog.ca.sual.in>YOU WIN LOTTERY
# You can close </a></h1> tags so it would be more legal
Needless to say, if you are not character limited, then you can rewrite email to your liking
Other email hacks:
https://book.hacktricks.xyz/pentesting-web/email-injections