Email flow testing

Overview

VulnerableApp includes a simple email testing endpoint for validating the mail integration flow. The endpoint is available under the unsafe profile and sends a test message through the configured mail service.

Endpoint

Send a test email with:

curl -X POST "http://localhost/VulnerableApp/email/test" \
  -d "to=you@example.com" \
  -d "subject=Test email" \
  -d "body=Hello from VulnerableApp" \
  -d "html=false"

Parameters

  • to (required): recipient email address
  • subject (optional): email subject; defaults to VulnerableApp test email
  • body (optional): email body; defaults to This email was sent by VulnerableApp.
  • html (optional): set to true for HTML email content; defaults to false

Mailpit / SMTP setup

The application uses the standard Spring mail configuration.

Default properties

The shared application properties define the default SMTP host and credentials behavior:

  • spring.mail.host=${SMTP_HOST:mailpit}
  • spring.mail.port=${SMTP_PORT:1025}
  • spring.mail.username=${SMTP_USERNAME:smtp_hacker}
  • spring.mail.password=${SMTP_PASSWORD:smtp_password}
  • vulnerableapp.email.from=${EMAIL_FROM:no-reply@vulnerableapp.local}
  • vulnerableapp.email.base-url=${APP_BASE_URL:http://localhost}

If Mailpit is running locally, emails will be captured there and available at:

  • http://localhost:8025

Notes

  • If the mail server is unavailable, the application logs a warning and continues running instead of failing the request.
  • The email testing endpoint is intended for local validation and debugging.