XSS and SSRF via the List-Unsubscribe SMTP Header in Horde W...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/
• Blog Title: XSS and SSRF via the List-Unsubscribe SMTP Header in Horde Webmail and Nextcloud Mail
• Suggested Section: Pentesting Web -> XSS (Cross Site Scripting) and cross-linked from Pentesting Web -> SSRF (Server Side Request Forgery) as a 'List-Unsubscribe header abuse' technique

🎯 Content Summary

This post analyzes how the standardized List-Unsubscribe SMTP header (RFC 2369) can introduce exploitable attack surface in modern webmail and mail clients, specifically leading to Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF). It illustrates the problem using a real stored XSS in Horde Webmail (CVE-2025-68673) and an SSRF primitive in the Nextcloud Mail app.

Foundations: How List-Unsubscribe Works

The List-Unsubscribe header is defi...

🔧 Technical Details

1. Stored XSS via JavaScript URIs in List-Unsubscribe Rendering
Whenever a mail client converts the List-Unsubscribe header into a clickable HTML link, you can test for stored XSS by injecting a javascript: URI instead of a normal http(s):// or mailto: link. The generic attack pattern is:

List-Unsubscribe: <javascript://attacker.tld/%0aconfirm(document.domain)>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

If the application generates HTML like:

<a href="javascript://attacker.tld/%0aconfirm(document.domain)" target="_blank">...</a>

then opening the link (especially in a new tab/window due to target="_blank") causes the browser to execute the JavaScript in the webmail origin, producing stored XSS. To generalize this technique:

• Identify any component that reads List-Unsubscribe and writes it int...

  🤖 Agent Actions

  Summary:

  • Added a new “List-Unsubscribe Header Abuse (Webmail XSS & SSRF)” section to the XSS methodology page detailing how attacker-controlled List-Unsubscribe URIs can yield stored XSS or server-side SSRF primitives. The section covers the RFC 2369 background, testing workflow, PoC headers, execution requirements (e.g., target="_blank"), and includes expandable Python scripts for both the basic SMTP payload and a DKIM-signed variant used against Nextcloud Mail.
  • Documented SSRF-specific considerations such as Nextcloud’s allow_local_remote_servers flag, DKIM requirements for HTTPS unsubscribe requests, and how to leverage OAST infrastructure plus SSRF methodology techniques once the primitive is confirmed.
  • Added concrete hardening guidance (scheme allowlists, network egress restrictions, logging) and updated the references section with the blog post and related HackerOne report.

  Tests: Not run (not requested).

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

  📚 Repository Maintenance

  • MD files processed: 935
  • MD files fixed: 1

  All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> XSS (Cross Site Scripting) and cross-linked from Pentesting Web -> SSRF (Server Side Request Forgery) as a 'List-Unsubscribe header abuse' technique".

Repository Maintenance:

• MD Files Formatting: 935 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0