bWAPP-Mail Header Injection (SMTP)

Purpose: Catch all entered data by temper data or burp and then change it according to you you can add bcc and cc in mail with burp-suite.

Normal mailing system like google doesn’t intercept by burp-suite because of highly security transmission.This type of SMTP journally occure in mailing system which is design to mail by there own web-app or you can try it at chatting purpose web-app.

So lets get started at Security Level: Low

Step 1: Open link “localhost/bWAPP/bWAPP/maili.php”

step 2: Then open burp-suite and after set manual proxy server to catch the request by burp tool/temper data(Firefox-Extension).

start intercept on

Step 3: Fill the form in Mail Header injection(SMTP)

Concept: if ($_POST) { $name = $_POST[‘name’]; $email = $_POST[‘email’]; $bcc =$_POST[email]; $cc = $_POST[email]; $message = $_POST[‘message’]; $reply_to = $_post[reply_to];

After mail-in intercepting the mail in burp you can edit it according to your task you can add bcc mail to gerb the main mail information and can talk to the server mail.

Step 4: name=test&email=test%40gmail.com&emarks=hello+there+%21&form=submit

Relpace it by

name=test\nbcc=hello@gmail.com&reply-to=welocome to bcc age&email=test%40gmail.com&remarks=hello+there+%21&form=submit

forward it.

After this, you can get a bcc copy of orignal mail and you can talk with the server instead of the victim system.

Note: This mail server is only for training purpose it can be work at websites which work on mail service. like

Gmail Incoming mail server: pop.gmail.com. Gmail outgoing mail server: smtp.gmail.com.

Yahoo! … Yahoo! …

AOL incoming mail server: imap.aol.com. AOL outgoing mail server: smtp.aol.com.

Security level : Medium

Just encode the above process.

Security level: High

You Need a high knowledge of SMTP Testing

Thanks for grebbing knowledge original