Email input fields are a critical attack surface in web applications. Attackers often target these fields to exploit vulnerabilities ranging from XSS and SSRF to header injection and business logic flaws. This article provides a detailed methodology for testing email input fields including both foundational and advanced techniques with practical payloads for each scenario.

Start by using an RFC822-compliant validator tool to test how the application handles a variety of valid and invalid email formats. Enter each case into the tool’s input field and note whether the tool marks it as valid or invalid, as this reveals the strength or weakness of the application’s email validation logic.

Example Test Cases:

| Email Address                                 | Expected (RFC822) | Notes                          |
|-----------------------------------------------|-------------------|--------------------------------|
| [email protected]                            | Valid             | Standard format…