Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls

This Black Hat conference talk explores the vulnerabilities in email address parsing systems that can lead to security breaches. Learn techniques for crafting RFC-compliant email addresses that bypass security controls, resulting in parser discrepancies and emails being routed to unexpected destinations. Discover how to exploit applications and libraries to spoof email domains, access internal systems protected by "Zero Trust," and circumvent employee-only registration barriers. The 42-minute presentation also covers how harmless-looking inputs can be transformed into malicious payloads by unwitting libraries, leading to misrouted emails and blind CSS injection vulnerabilities. Gain access to a complete methodology and toolkit for identifying and exploiting targets, plus participate in a CTF challenge to develop your new skills. Presented by Gareth Heyes, Researcher at PortSwigger.