πŸ•΅
πŸ•΅
πŸ•΅
πŸ•΅
HowToHunt
Search…
πŸ•΅
πŸ•΅
πŸ•΅
πŸ•΅
HowToHunt
HowToHunt.md
Account Takeover Methodology
Account Takeover Methodology
Application Level DoS
Application Level DoS Methods
Authentication Bypass
2FA Bypasses
OTP Bypass
Broken-Link Hijacking
Broken-Link Hijacking
Broken Auth And Session Management
Session Based Bugs
CMS
Wordpress
Moodle
CORS
CORS
CORS Bypasses
CSRF
CSRF
CSRF Bypass
Finding CVEs
CVES
CheckList
Web Application Pentesting Checklist
Web Checklist by Chintan Gurjar.pdf
Mindmap by Rohit Gautam
Mindmap by Cristian Cornea
Web Page Source Code Review
Web Page Code Review Tips
EXIF Geo Data Not Stripped
EXIF Geo Data Not Stripped
File Upload Bypass
File Upload Bypass
Find Origin IP
Find Origin
GraphQL
GraphQL
HTTP Desync Attack
HTTP_Desync
Host-Header Attack
Host-Header
HTML-Injection
HTML-Injection
IDOR
IDOR
JWT ATTACK
JWT
MFA Bypass
MFA Bypasses
2FA-Bypass
Misconfigurations
Default Credential And Admin Panel
OAuth
OAuth
Open Redirection
Find OpenRedirect Trick
Open Redirection Bypass
Parameter Pollution
Parameter Pollution In Social Sharing Buttons
Password Reset Functionality
MindMap
Password Reset Token Leakage
Account_Takeover_By_Password_Reset_Functionality
Rate Limit
Rate-Limit Bypass
Recon
Recon Workflow
Subdomain Enumeration
SQLi
SQL Injection.md
SSRF
SSRF
Blind SSRF
SSTI
SSTI
Sign Up Functionality
Sign Up Bugs
Sign Up MindMap
Sensitive Info Leaks
Github Recon Method
Github-Dorks
Github Dorks All
Google Dorks
Shodan CVE Dorks
Status Code Bypass
Status_Code_Bypass Tips
403 Bypass
Subdomain Takeover
Subdomain Takeover - Detail Method
Subdomain Takeover - Easy Method
Tabnabbing
Tabnabbing
WAF Bypasses
WAF Bypass Using Headers
Weak Password Policy
Weak Password Policy
XSS
XSS
Automated XSS
XXE
XXE Methods
Powered By GitBook
Sign Up Bugs

Implementing the Sign Up Feature:

We will take the example of a School Website(school.org) to learn the implementation of Sign Up Feature: In this Example, The Students need to register to school.org for accessing their Academic educational resource. Users of school.org must have the ability to register as a member thus gaining access to the content of the site.
So, The Signup process can be implemented by school in two ways:
  1. 1.
    Manual Signupβ€Šβ€”β€ŠRegistration based on user providing a series of specific user information. It usually includes form like name, email, password, confirm password, etc. as shown in image below.
  2. 2.
    Social Signup /OAuthβ€” Registration via an integrated social media source via social media platform like Facebook, Twitter, or Google, the user can sign into a third party website instead of creating a new account specifically for that website.
In this Blog I will be talking about Bugs in Manual Sign up. Lets have Social Signup/ OAuth for our next blog topic.

Exploiting Signup Feature:

1. Duplicate registration / Overwrite existing user.
Duplicate registration is when an application allows us to register or sign up with the same email address, username or phone number. It can have critical consequences based on what kind of attack is performed.
Steps to reproduce:
  1. 1.
    Create first account in application with email say [email protected] and password.
  2. 2.
    Logout of the account and create another account with same email and different password.
  3. 3.
    You can even try to change email case in some case like from [email protected] to [email protected]​
  4. 4.
    Finish the creation processβ€Šβ€”β€Šand see that it succeeds
  5. 5.
    Now go back and try to login with email and the new password. You are successfully logged in.
2. DOS at Name/Password field in Signup Page.
By sending a very long string (100000 characters) it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable string hashing implementation. When a long string is sent, the string hashing process will result in CPU and memory exhaustion.
Steps to reproduce:
  1. 1.
    Go Sign up form.
  2. 2.
    Fill the form and enter a long string in password
  3. 3.
    Click on enter and you’ll get 500 Internal Server error if it is vulnerable.
3. Cross-Site Scripting (XSS) in username, account name for registration.
Cross-site Scripting (XSS) is a security vulnerability usually found in websites and/or web applications that accept user input. This injects the malicious code into the targeted website’s content, making it a part of the website and thus allowing it to affect victims who may visit or view that website.
Now, for testing Signup page for XSS we can simply insert XSS payoad in fields like: username, email, password,etc.
Payload for Username field : <svg/onload=confirm(1)> Payload for Email field : β€œ><svg/onload=confirm(1)>”@x.y
4. No Rate Limit at Signup Page.
A rate limiting algorithm is used to check if the user session (or IP address) has to be limited based on the information in the session cache. Testing for Rate limit at Signup page is quite a good idea.
The Impact can be explained very well. If there is no rate limiting on signup page a malicious users can generate hundreds and thousands of fake accounts that lead to fill the application DataBase with fake accounts, Which can impact the business in many ways.
You can easily test for it with Burp Intruder. 1. Capture the signup request and send it to Intruder. 2. Add different emails as payload . 3. Fire up Intruder, And check whether it returns 200 OK.
5. Insufficient Email Verification.
Insufficient Email Verification means the application doesn’t verify the email id or the verification mechanism is too weak to be bypassed. You can easily Bypass Email Verification with some of the following common methods like:
  1. 1.
    Forced Browsing. (directly navigating to files which comes after verifying the email)
  2. 2.
    Response or Status Code Manipulation. (Replacing the bad response status like 403 to 200 can be useful)
  3. 3.
    There are much more ways of bypassing . Tip: Just google it.
Email verification bypass after signup:-
1. Sing up on the web application as [email protected]
2. You will receive a confirmation email on [email protected], do not open that link now.
3. The application may ask for confirming your email, check if it allows navigating to account settings page.
4. On settings page check if you can change the email.
5. If allowed, change the email to [email protected]
6. Now you will be asked to confirm [email protected] by opening the confirmation link received on [email protected], insted of opening the new link go to [email protected] inbox and open the previous received link.
7. If the application verifies [email protected] by using perivious verification link received on attacker mail, then this is a email verification bypass.
6. Path Overwrite
If an application allows users to check their profile with direct path /{username} always try to signup with system reserved file names, such as index.php, signup.php, login.php, etc. In some cases what happens here is, when you signup with username: index.php, now upon visiting target.tld/index.php, your profile will comeup and occupy the index.php page of an application. Similarly, if an attacker is able to signup with username login.php, Imagine login page getting takeovered.
Further Read: https://infosecwriteups.com/logical-flaw-resulting-path-hijacking-dd4d1e1e832f
Thanks for Reading. Any Suggestions are always welcomed!!

Sources:-

  • https://twitter.com/kushagrasarathe/status/1385111472385060867?s=19

Author:-

SSTI - Previous
SSTI
Next - Sign Up Functionality
Sign Up MindMap
Last modified 8mo ago
Copy link
Outline
Sources:-
Author:-