bWAPP Mail Header Injection SMTP

bWAPP Mail Header Injection SMTP Solution: Note: I am using Burp Suite preconfigured browser, in case if you are using an earlier version of Burp Suite then request to please configure your browser proxy. Step 1. Give your inputs for Name, E-mail and Remarks and click on send Step 2. Go to Burp Suite and check the interception request As per the inputs which I have given below is the result. -- ) name=PseudoTime&email=bwapp%40mailinator.com&remarks=Greetings+from+PseudoTime&form=submit Step 3. Right click and send the request to Repeater tab. Click on send and check the HTTP/1.1 200 OK response (- Means request sent is succeeded Step 4. Modify the request with below details \nbcc:youremailaddress.com and click on send, you will observe the response as HTTP/1.1 200 OK (- Means request sent is succeeded Note: As per the source code once the email is sent you will receive message - Your message has been sent to our master bee! In case, if you have not received any email then no need to worry, the attack is actually successful but I assume that the message is not triggered because of your emaildomain which you have used. There is a high possibility that for testing purpose only few domains are approved off. In case, if my assumption or understanding is incorrect then please do let me know. Thank you in advance. PseudoTime