Bouncing with Email
Using email signup pages can be gamed for databouncing too, and this too is indirect, or 2nd order, consider this,
A user is allowed to submit a registration page to an access portal etc ... it can be weaponized, find the web request and tailor it for exfil, the email address when processed will have to perform DNS lookup (more than once) for sending a verification email and while the mail server may not exist, the lookup has to happen.
sequenceDiagram
participant U as User
participant WP as Web Page Sign-up
participant S as Server
participant D as DNS Server - Exfil (DataBounce)
U->>WP: Accesses signup page
Note right of WP: Web page presents signup form
U->>WP: Submits form with email ([email protected])
Note over WP,S: Email contains potential exfiltration domain
WP->>S: Sends email data
Note over S: Server processes email data
S->>D: DNS MX record lookup for exfiltrationdata.domain.com
Note right of D: DNS queried for MX record of exfiltration domain
Note right of D: Databouncing capability here
D-->>S: Returns MX record
Note right of S: Receives DNS response
S->>WP: Confirms email processing
WP->>U: Displays signup confirmation
Note right of WP: Confirmation shown to user after DNS lookup
There are some pretty cool capabilities with SMTP but we're not scope creeping yet, we're keeping in line with that whole 'get the thing to do a lookup' and get the data.
We'll whip a guide exploring this.