BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//bsides-canberra-2025//speaker//SCEPVQ BEGIN:VTIMEZONE TZID:AEST BEGIN:STANDARD DTSTART:20000326T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3;UNTIL=20050326T170000Z TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:STANDARD DTSTART:20060402T040000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060401T170000Z TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:STANDARD DTSTART:20070325T040000 RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=3;UNTIL=20070324T170000Z TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:STANDARD DTSTART:20080406T040000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4 TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000827T030000 RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=8;UNTIL=20000826T170000Z TZNAME:AEDT TZOFFSETFROM:+1000 TZOFFSETTO:+1100 END:DAYLIGHT BEGIN:DAYLIGHT DTSTART:20011028T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20071027T170000Z TZNAME:AEDT TZOFFSETFROM:+1000 TZOFFSETTO:+1100 END:DAYLIGHT BEGIN:DAYLIGHT DTSTART:20081005T030000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=10 TZNAME:AEDT TZOFFSETFROM:+1000 TZOFFSETTO:+1100 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-bsides-canberra-2025-FZCJWD@pretalx.com DTSTART;TZID=AEST:20250926T100000 DTEND;TZID=AEST:20250926T102500 DESCRIPTION:Email addresses are a common data type which can be highly inco nsistent\, with various parsers behaving differently depending on its impl ementation. In some cases\, parsers may accept an RFC-compliant email addr ess that can lead to high impact vulnerabilities in applications\, because the developers assumed that the parser will parse an email address accord ing to their expectations. This concept is not just restricted to web appl ications\, but also other types of services that rely on parsing email add resses to establish identities. \n\nIn this presentation\, I will talk abo ut my experience when researching on Jakarta Mail (previously known as Jav aMail `javax.mail`) for email parsing issues and it will be presented in a journey-style manner. This research was inspired by one of our recent eng agements\, where a client utilised a library that has JavaMail as one of i ts dependencies. While researching about Mail vulnerabilities\, I recalled how Gareth Heyes from PortSwigger [published](https://portswigger.net/res earch/splitting-the-email-atom) about the use of encoded strings in email addresses and how email parsers may decode and accept them. After reading such an inspiring write-up\, I attempted to extend the research Gareth did \, against Jakarta Mail this time\, and was surprised to find other intere sting behaviours that were exhibited.\n\nOne of the main highlights in thi s sharing will be on `InternetAddress.java`\, a default class shipped with Jakarta Mail that is used to parse and represent email addresses. It has some inconsistencies that can potentially lead to situations where develop ers assume that emails are always validated when in fact they are not. As `InternetAddress` is not typically used directly\, I have also looked into how other libraries utilised it\, namely Angus Mail and Spring Framework. In addition to the `InternetAddress` class\, I will also be going through my observations from other classes such as `MimeMessage` (from Jakarta Ma il)\, as well as `InternetAddressEditor`\, `MimeMessageHelper`\, `MimeMail Message` and `SimpleMailMessage` (from Spring Framework).\n\nThroughout th is research\, I have noted down various interesting primitives which I wil l be sharing\, hoping that it will be useful for other researchers if they ever encounter them in the wild. DTSTAMP:20260617T083110Z LOCATION:Off-Main Track SUMMARY:Primitives for Security Audits: Lessons from Jakarta Mail - Jia Hao Poh URL:https://pretalx.com/bsides-canberra-2025/talk/FZCJWD/ END:VEVENT END:VCALENDAR