Burp Suite User Forum

Login to post

Lab: Inconsistent handling of exceptional input - How does the email work?

m10xde | Last updated: Oct 15, 2020 12:40PM UTC

I've completed the lab by following the solution, but I didn't completely understand how it works. I registered using the template very-long-string@dontwannacry.com.your-email-id.web-security-academy.net The admin panel only validates the first 255 chars of the email, so I can use it, because it only sees very-long-string@dontwannacry.com. Why I can see the registration email which is sent to very-long-string@dontwannacry.com.your-email-id.web-security-academy.net The email client says it's displaying all emails @your-email-id.web-security-academy.net The email doesn't end with @your-email-id.web-security-academy.net, but with .your-email-id.web-security-academy.net

Uthman, PortSwigger Agent | Last updated: Oct 15, 2020 01:20PM UTC

Can you clarify what your question is? The email will be truncated to only display 255 characters - the 'm' in @dontwannacry.com should be the last character you see.

m10xde | Last updated: Oct 20, 2020 11:39AM UTC

I don't understand, why I can see the email, which is sent to very-long-string@dontwannacry.com.your-email-id.web-security-academy.net, in my email client. The email client says it shows every email sent to an email address which ends with @your-email-id.web-security-academy.net, but the email above has a . instead of a @ before your-email-id.web-security-academy.net

Michelle, PortSwigger Agent | Last updated: Oct 22, 2020 02:05PM UTC

This is outside the scope of our support. If it helps to explain things though, in this lab, the registration confirmation emails will be sent to the email client of the lab but you log in to the account the email address displayed will be truncated.

You need to Log in to post a reply. Or register here, for free.