Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V14 - Config

Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain

POC

  • To check the SPF and DMARC policy mxtoolbox.com was used: https://mxtoolbox.com/SuperTool.aspx
  • This issue can be produced by any third party tool which can Fake Emails, for demo https://emkei.cz/ was used.
  • Open the site https://emkei.cz/
  • Enter all the details, ensure the from email is admin@target.com To Email can be any email which is accessible.
  • Now type the message and click on Send
  • Once message is received notice that the From email is admin@targte.com which looks legitimate.

Impact

Low

Likelihood

Low