Hey, What’s Up Fellow Hackers, hope you are staying safe and utilizing this (WFH or Online Classes ) time to increase your knowledge. So today I am going to share another interesting finding in which I was able to bypass the email verification. The target was a crowd funding-based program but didn’t have a bug bounty program but still, I chose it to practice and test my skills. So we will assume it as redacted.com. So are you ready? Let’s begin.
So target had only a single domain and no subdomains so I chose to test all the functionalities on the main domain only. It had a normal sign-up, email verification, and login system and as usual, I played with all of them but nothing juicy found. After a While Found some Open Redirects, Stored XSS through profile pic upload that EXIF thing and some other low-hanging fruits.
But email verification was the thing I wanted to play with and I wanted to bypass it anyhow. So while testing I navigated to the dashboard and then edit the profile section and checked whether is there any option to change the email or not. Unfortunately, there was no option to do it I can only change details like name, address, website link, etc...
So I decided to Test the flow so captured the request in burp after changing My Name and it looked as below
Are you thinking the same as I was thinking? To save my name it was stored in name param and what for email? It was hidden … No Problem !!
I noticed 317096… which was the authenticity token used after every parameter just added something into the request to change the email ( hidden parameter) to [email protected] and the request looked like below
Forwarded the request and Boom Boom !!!
Then to verify that it was successful just logged out and logged in with the new [email protected] mail id and same password and I was logged in successfully.
I know you will say I could have tried for Account takeover by changing mail to the victim’s mail who was already registered but that didn't work on this target. But I suggest you to make two test accounts and do the same maybe it gets succeeded in your target if yes $$$ :)
So that was all about today, I hope you got some useful knowledge. If yes don’t forget to Give a Clap and connect with me on Twitter ( Dm’s are Always Open).
Signing Off!!! Peace