Email Verification Bypass

Email injections

"><svg/onload=confirm(1)>"@x.y

How I Discovered an Email Verification BypassMedium

No email verification + SSO = Pre Account Takeover

First manually creating an account using the target's email address.

Later if the target goes to create an account or login using SSO they will be linked to the same account.

You will be able to access the target account via the credentials you set up earlier .

Alter response

• Register an account - Login with this account and intercept the success login response

• Register a victim account - it will prompt to a 2FA code but we don't have access to that email

• Go back to login with the email

• Capture the login request - Alter the response to success response

https://www.youtube.com/watch?v=0EokCi3V3e0www.youtube.com

Race Condition

Intercept change email request and send it to repeater

Send the request at least 2 times so send it to the repeater again

Repeater 1

Repeater 2

Create group to be able to send the two requests in the same time

Send group in parallel

Email verification bypass due to race condition.Medium

Remove the Token

Modify the email parameter from attacker@gmail.com to a different email address (for this example, victim@gmail.com)

https://app.example.me/signup/activation?token=c6dc625e-5b5a-4627-b39c-98e0dfcbc22f&source=trial&email=victim@gmail.com&chkNR=false

Intercept the request

{
  "firstName": "Attacker",
  "lastName": "Smith",
  "email": "victim@gmail.com",
  "password": "strongpassword123",
  "token": "c6dc625e-5b5a-4627-b39c-98e0dfcbc22f"
}

Remove the token

{
  "firstName": "Attacker",
  "lastName": "Smith",
  "email": "victim@gmail.com",
  "password": "strongpassword123",
}

How I Discovered an Email Verification BypassMedium

GraphQL Request

[{"operationName":"solutionsResendEmailVerification","variables":{"input":{"entityId":"511","status":"PENDING","requestReferrer":"SOLUTIONS_CREATE"}},"query":"mutation solutionsResendEmailVerification($input: ResendEmailInput!) {\n resendEmailVerification(input: $input) {\n success\n __typename\n }\n}\n"}]

Change STATUS to “VERIFIED,” refresh the page, and gain access to the solutions without verifying the address

1200 $ Email verification Bypass from P4 TO P2Medium

Broken Authentication

https://medium.com/@TariqullslamHridoy/broken-authentication-to-email-verification-bypass-p4-12b9a42a54d5medium.com

Earn Free Crypto / BTC with Cointiply

Play Games Earn Cash Rewards

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.