🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Sources:-
  • Author:-
  1. Sign Up Functionality

Sign Up Bugs

PreviousSSTINextSign Up MindMap

Last updated 3 years ago

Implementing the Sign Up Feature:

We will take the example of a School Website(school.org) to learn the implementation of Sign Up Feature: In this Example, The Students need to register to school.org for accessing their Academic educational resource. Users of school.org must have the ability to register as a member thus gaining access to the content of the site.

So, The Signup process can be implemented by school in two ways:

  1. Manual Signup — Registration based on user providing a series of specific user information. It usually includes form like name, email, password, confirm password, etc. as shown in image below.

  2. Social Signup /OAuth— Registration via an integrated social media source via social media platform like Facebook, Twitter, or Google, the user can sign into a third party website instead of creating a new account specifically for that website.

In this Blog I will be talking about Bugs in Manual Sign up. Lets have Social Signup/ OAuth for our next blog topic.

Exploiting Signup Feature:

1. Duplicate registration / Overwrite existing user.

Duplicate registration is when an application allows us to register or sign up with the same email address, username or phone number. It can have critical consequences based on what kind of attack is performed.

Steps to reproduce:

  1. Create first account in application with email say and password.

  2. Logout of the account and create another account with same email and different password.

  3. You can even try to change email case in some case like from to

  4. Finish the creation process — and see that it succeeds

  5. Now go back and try to login with email and the new password. You are successfully logged in.

Further Read

2. DOS at Name/Password field in Signup Page.

By sending a very long string (100000 characters) it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable string hashing implementation. When a long string is sent, the string hashing process will result in CPU and memory exhaustion.

Steps to reproduce:

  1. Go Sign up form.

  2. Fill the form and enter a long string in password

  3. Click on enter and you’ll get 500 Internal Server error if it is vulnerable.

3. Cross-Site Scripting (XSS) in username, account name for registration.

Cross-site Scripting (XSS) is a security vulnerability usually found in websites and/or web applications that accept user input. This injects the malicious code into the targeted website’s content, making it a part of the website and thus allowing it to affect victims who may visit or view that website.

Now, for testing Signup page for XSS we can simply insert XSS payoad in fields like: username, email, password,etc.

Payload for Username field : <svg/onload=confirm(1)> Payload for Email field : “><svg/onload=confirm(1)>”@x.y

4. No Rate Limit at Signup Page.

A rate limiting algorithm is used to check if the user session (or IP address) has to be limited based on the information in the session cache. Testing for Rate limit at Signup page is quite a good idea.

The Impact can be explained very well. If there is no rate limiting on signup page a malicious users can generate hundreds and thousands of fake accounts that lead to fill the application DataBase with fake accounts, Which can impact the business in many ways.

You can easily test for it with Burp Intruder. 1. Capture the signup request and send it to Intruder. 2. Add different emails as payload . 3. Fire up Intruder, And check whether it returns 200 OK.

5. Insufficient Email Verification.

Insufficient Email Verification means the application doesn’t verify the email id or the verification mechanism is too weak to be bypassed. You can easily Bypass Email Verification with some of the following common methods like:

  1. Forced Browsing. (directly navigating to files which comes after verifying the email)

  2. Response or Status Code Manipulation. (Replacing the bad response status like 403 to 200 can be useful)

  3. There are much more ways of bypassing . Tip: Just google it.

Email verification bypass after signup:-

1. Sing up on the web application as attacker@mail.com
2. You will receive a confirmation email on attacker@mail.com, do not open that link now.
3. The application may ask for confirming your email, check if it allows navigating to account settings page.
4. On settings page check if you can change the email.
5. If allowed, change the email to victim@mail.com.
6. Now you will be asked to confirm victim@mail.com by opening the confirmation link received on victim@mail.com, insted of opening the new link go to attacker@mail.com inbox and open the previous received link.
7. If the application verifies vitim@mail.com by using perivious verification link received on attacker mail, then this is a email verification bypass.

6. Path Overwrite

If an application allows users to check their profile with direct path /{username} always try to signup with system reserved file names, such as index.php, signup.php, login.php, etc. In some cases what happens here is, when you signup with username: index.php, now upon visiting target.tld/index.php, your profile will comeup and occupy the index.php page of an application. Similarly, if an attacker is able to signup with username login.php, Imagine login page getting takeovered.

Further Read: https://infosecwriteups.com/logical-flaw-resulting-path-hijacking-dd4d1e1e832f

Thanks for Reading. Any Suggestions are always welcomed!!

Sources:-

  • https://twitter.com/kushagrasarathe/status/1385111472385060867?s=19

Author:-

Further Read

Further Read

Further Read

Further Read

@Kushagra Sarathe - &

@Sm4rty - , &

abc@gmail.com
abc@gmail.com
Abc@gmail.com
https://hackerone.com/reports/187714
https://shahjerry33.medium.com/duplicate-registration-the-twinning-twins-883dfee59eaf
https://blog.securitybreached.org/2020/01/22/user-account-takeover-via-signup-feature-bug-bounty-poc/
https://shahjerry33.medium.com/long-string-dos-6ba8ceab3aa0
https://hackerone.com/reports/738569
https://hackerone.com/reports/223854
https://hackerone.com/reports/196989
https://hackerone.com/reports/470206
https://hackerone.com/reports/119090
https://hackerone.com/reports/905692
https://hackerone.com/reports/97609
https://hackerone.com/reports/262830
https://hackerone.com/reports/1040047
https://hackerone.com/reports/617896
https://hackerone.com/reports/737169
Twitter
GitHub
Twitter
LinkedIn
Instragram