Email flow testing
Overview
VulnerableApp includes a simple email testing endpoint for validating the mail integration flow. The endpoint is available under the unsafe profile and sends a test message through the configured mail service.
Endpoint
Send a test email with:
curl -X POST "http://localhost/VulnerableApp/email/test" \
-d "to=you@example.com" \
-d "subject=Test email" \
-d "body=Hello from VulnerableApp" \
-d "html=false"
Parameters
to(required): recipient email addresssubject(optional): email subject; defaults toVulnerableApp test emailbody(optional): email body; defaults toThis email was sent by VulnerableApp.html(optional): set totruefor HTML email content; defaults tofalse
Mailpit / SMTP setup
The application uses the standard Spring mail configuration.
Default properties
The shared application properties define the default SMTP host and credentials behavior:
spring.mail.host=${SMTP_HOST:mailpit}spring.mail.port=${SMTP_PORT:1025}spring.mail.username=${SMTP_USERNAME:smtp_hacker}spring.mail.password=${SMTP_PASSWORD:smtp_password}vulnerableapp.email.from=${EMAIL_FROM:no-reply@vulnerableapp.local}vulnerableapp.email.base-url=${APP_BASE_URL:http://localhost}
If Mailpit is running locally, emails will be captured there and available at:
http://localhost:8025
Notes
- If the mail server is unavailable, the application logs a warning and continues running instead of failing the request.
- The email testing endpoint is intended for local validation and debugging.