We need to integrate a local SMTP server into VulnerableApp to support email-related vulnerability labs (e.g., password reset, email injection, verification flows) without relying on external email providers.
This will enable safe, offline, and cost-free teaching of email security concepts.
🚀 Goals
Enable VulnerableApp to send emails via a local SMTP server
Capture and display emails in a UI for students
Support multiple security labs (reset password, verification, notifications)
Ensure zero dependency on external email providers
This is only available for Modern UI via VulnerableApp-Facade
Look at VulnerableApp docker-compose.yaml
🧱 Proposed Solution
- SMTP Server (Local Dev Setup)
Use one of the following:
Mailpit (recommended)
MailHog (alternative)
or others, you are free to choose the best one.
Run via Docker compose, facade UI:
UI Dashboard: http://localhost:8025
-
Backend Configuration
Add configurable SMTP settings in application.properties
-
Email Service Layer
Introduce a reusable email service:
sendEmail(to, subject, body)
sendHtmlEmail(to, subject, htmlBody)
sendResetEmail(user, token)
sendVerificationEmail(user, token)
🧪 Testing Requirements
Emails should appear in Mailpit UI
No external network dependency
Able to simulate:
reset password emails
verification emails
crafted payload injection cases
🔐 Security Lab Enablement (Future Use)
This integration will support:
Email header injection labs
Token leakage scenarios
Weak reset mechanisms
Enumeration via email responses
📦 Acceptance Criteria
SMTP server runs locally via Docker
App successfully sends emails to Mailpit/MailHog
Emails visible in web UI dashboard
No dependency on external email providers
Configurable SMTP settings added
Email service abstraction implemented
🧭 Notes
This is a foundational change for upcoming email security vulnerability modules in VulnerableApp and should be designed to remain extensible for future attack scenarios. It will be only available in Modern UI as that is docker based design.
We need to integrate a local SMTP server into VulnerableApp to support email-related vulnerability labs (e.g., password reset, email injection, verification flows) without relying on external email providers.
This will enable safe, offline, and cost-free teaching of email security concepts.
🚀 Goals
Enable VulnerableApp to send emails via a local SMTP server
Capture and display emails in a UI for students
Support multiple security labs (reset password, verification, notifications)
Ensure zero dependency on external email providers
This is only available for Modern UI via VulnerableApp-Facade
Look at VulnerableApp docker-compose.yaml
🧱 Proposed Solution
Use one of the following:
Mailpit (recommended)
MailHog (alternative)
or others, you are free to choose the best one.
Run via Docker compose, facade UI:
UI Dashboard: http://localhost:8025
Backend Configuration
Add configurable SMTP settings in application.properties
Email Service Layer
Introduce a reusable email service:
sendEmail(to, subject, body)
sendHtmlEmail(to, subject, htmlBody)
sendResetEmail(user, token)
sendVerificationEmail(user, token)
🧪 Testing Requirements
Emails should appear in Mailpit UI
No external network dependency
Able to simulate:
reset password emails
verification emails
crafted payload injection cases
🔐 Security Lab Enablement (Future Use)
This integration will support:
Email header injection labs
Token leakage scenarios
Weak reset mechanisms
Enumeration via email responses
📦 Acceptance Criteria
SMTP server runs locally via Docker
App successfully sends emails to Mailpit/MailHog
Emails visible in web UI dashboard
No dependency on external email providers
Configurable SMTP settings added
Email service abstraction implemented
🧭 Notes
This is a foundational change for upcoming email security vulnerability modules in VulnerableApp and should be designed to remain extensible for future attack scenarios. It will be only available in Modern UI as that is docker based design.