Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls

Explore email address parsing vulnerabilities and exploitation techniques in this DEF CON 32 conference talk that delves into RFC-compliant email address manipulation. Learn how ancient RFC specifications create opportunities for bypassing security controls through parser inconsistencies. Discover methods for crafting specially formatted email addresses that can circumvent organizational defenses, spoof domains, penetrate 'Zero Trust' systems, and bypass employee-only registration restrictions. Master techniques for transforming seemingly innocent inputs into malicious payloads that can trigger email misrouting and blind CSS injection attacks. Gain hands-on experience through a provided CTF challenge and receive a comprehensive methodology and toolkit for identifying and exploiting email parser vulnerabilities in real-world targets.