You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
### Creates a random string in the output log or replaces the $random placeholder in the request. The string is generated using a regular expression class received from the user input dialog.
342
+
#### Author: Gareth Heyes
343
+
```java
344
+
var patternStr =javax.swing.JOptionPane.showInputDialog(null, "Enter regex pattern like [a-z]{4} or [0-5]{10}", "Random chars based on regex", javax.swing.JOptionPane.QUESTION_MESSAGE);
### Given the clipboard contains a repeater request compressed and encoded by the RepeaterClip Bambda, this Bambda creates a new Repeater tab containing that request.
"The server appears to be vulnerable to a <b>Unicode-based bypass</b> affecting cookies with the <b>__Host-</b> or <b>__Secure-</b> prefix. This issue exploits whitespace trimming behavior, allowing an attacker to set privileged cookies using visually similar names.",
111
+
"Ensure the server does not silently strip or normalize <i>Unicode space separator characters</i> (e.g. U+2000–U+200A) before parsing cookie names. These characters can be used to bypass prefix restrictions in modern browsers like Chrome and Firefox.",
### Performs an email splitting attack using encoded word. The Collaborator client is used to retrieve interactions. You should change the spoofServer to be your target domain e.g. example.com You can add more techniques using the techniques variable.
173
+
#### Author: Gareth Heyes
174
+
```java
175
+
varPOLL_SLEEP=1_000;
176
+
varTOTAL_TIME=10_000;
177
+
var spoofServer ="target.domain";
178
+
var collaboratorClient = api().collaborator().createClient();
Function<String, String> newLinesToBr = s -> s.replaceAll("\r?\n","<br>");
197
+
198
+
try {
199
+
long start =System.currentTimeMillis();
200
+
while (true) {
201
+
if (System.currentTimeMillis() - start >=TOTAL_TIME) break;
202
+
List<Interaction> list = collaboratorClient.getAllInteractions();
203
+
if (!list.isEmpty()) {
204
+
for (Interaction i : list) {
205
+
if (!i.smtpDetails().isPresent()) continue;
206
+
var id = i.id().toString();
207
+
var conversation = i.smtpDetails().get().conversation().substring(0, 500) +"...";
208
+
var title ="Email address parser discrepancy";
209
+
var detail ="This site is vulnerable to an email splitting attack below is the SMTP conversation:"+utilities().htmlUtils().encode(conversation);
210
+
var remediation ="""
211
+
- Reject any address containing =? … ?= (“encoded-word”) patterns with a simple regex such as =[?].+[?]= before further processing.
212
+
- Disable or strictly configure legacy address parsing features in mail libraries (UUCP bang paths, source routes, UTF-7, IDN/Punycode) whenever they are not required.
213
+
- Never base authorisation decisions solely on the claimed email domain. Instead, verify ownership (for example, by sending a one-time link) or use cryptographically strong identity assertions.
214
+
- Ensure server-side validation is performed by the same library that ultimately sends or stores the address, avoiding mixed-parser discrepancies.
215
+
""";
216
+
var background ="Email syntax is governed by decades-old RFCs that permit comments, quoted local-parts, multiple encodings and obsolete routing notations. Modern web applications often validate addresses with a simple regex or framework helper, then pass them to deeper libraries (SMTP clients, IDN converters, etc.). An attacker can embed control characters or secondary @ symbols that survive the first check but are re-interpreted later, redirecting mail delivery or splitting the address during SMTP dialogue. The impact ranges from account takeover to cross-tenant data exposure and, where rendered in HTML contexts, stored XSS leading to RCE.";
217
+
var remediationBackground ="The simplest and most effective defence is disable: “encoded-word” as they are unnecessary in user registration flows and can be blocked cheaply. Disabling rarely used address forms in mail libraries closes additional vectors, while eliminating domain-based access checks removes the underlying trust flaw. Where email addresses must be accepted verbatim (for example, mail clients), sanitise or escape them before insertion into HTML or SQL contexts and confirm delivery via out-of-band verification.";
### Performs an email splitting attack using encoded word. The default Collaborator client is used to retrieve interactions. You should change the spoofServer to be your target domain e.g. example.com Note this scan check using the default Collaborator tab and doesn't raise any issues. This allows you to use a long running task over the 2 minute window for scan checks. The main Collaborator tab will be updated if your probes are successful and receive Collaborator interactions.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments