Security & Penetration Testing
Validate authentication controls, password reset poisoning vulnerabilities, token leakage, and email HTML sanitization within isolated, disposable environments.
What you'll need
- A Developer plan or above (for higher rate limits and guaranteed inbox persistence)
- Our CLI tool or REST API access
- Testing automation scripts (Python/Bash) for security suites
Password Reset Poisoning
You can dynamically provision an inbox using the Python SDK to receive a password reset email and verify if the application leaks the reset token via Host header injection.
import requests, os, time
from freecustom_email import FreeCustomEmail
fce = FreeCustomEmail(api_key=os.environ.get("FCE_API_KEY"), sync=True)
TARGET_URL = "https://target-app.local/forgot-password"
def run_poisoning_test():
# 1. Provision target inbox
inbox = f"sec-target-{int(time.time())}@ditapi.info"
fce.inboxes.register(inbox)
# 2. Trigger reset with malicious Host header
malicious_host = "evil.com"
requests.post(TARGET_URL,
headers={"Host": malicious_host},
data={"email": inbox}
)
# 3. Wait for the email and check the verification link
try:
# wait_for automatically handles polling and returns an OTP/link object
result = fce.otp.wait_for(inbox, timeout_ms=30000)
link = result.verification_link if hasattr(result, "verification_link") else str(result)
if malicious_host in link:
print(f"[!] VULNERABLE: Token leaked to {malicious_host}. Link: {link}")
else:
print("[+] SAFE: Host header ignored.")
except Exception as e:
print(f"[-] No email received or error: {e}")
run_poisoning_test()Auth Rate Limit Validation
Bypass IP-based or email-based rate limits during assessments by using hundreds of unique email identities on the fly. FreeCustom.Email's wildcard domains (e.g., anything@ditapi.info) and fresh domains feature ensure your traffic doesn't get blocked.
#!/bin/bash
# Using the FCE CLI to generate unique emails in a loop for fuzzing
for i in {1..50}; do
INBOX="fuzz-$i@ditapi.info"
# Register
fce register $INBOX --silent
# Trigger signup
curl -X POST https://target-app.local/signup \
-d "email=$INBOX" -d "password=TestPass123!"
doneEmail HTML Injection (XSS)
Verify how your system sanitizes input reflected in emails (like usernames or profile data). Using the Python SDK, you can quickly fetch the raw HTML body to check for executable scripts.
import os
from freecustom_email import FreeCustomEmail
fce = FreeCustomEmail(api_key=os.environ["FCE_API_KEY"], sync=True)
def check_email_for_xss(inbox: str, payload: str):
# Fetch the latest message
messages = fce.messages.list(inbox, limit=1)
if not messages:
print("[-] No messages found")
return
msg_id = messages[0].id
# Fetch full HTML content
full_msg = fce.messages.get(inbox, msg_id)
html_body = full_msg.html
if payload in html_body:
print("[!] HTML Payload reflected without sanitization!")
else:
print("[+] Input was sanitized safely.")