Easy 300$ via response manipulation leads to bypassing the email verification :)
Hey Guys, I hope you are doing well, I’m Muhammad Elgllad, Welcome to my first Writupe ♥
Summary:
Ability bypass email confirmation and get into to Dashboard directly without verifying the email,
Vulnerability Type: Business Logic Errors
Severity: Medium
Bounty: 300$
Description
This is a small story about one of my findings, an easy one :)!!
First, let’s know what is business logic errors to Fully understand how this weakness and other attacks happened
Business logic vulnerabilities are flaws in the design and implementation of an application that allows an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.
So let's Start, I can’t disclose any information about the target yet, because the report is not disclosed but we can call it: redacted.com
when testing the application registration process and trying to create an account when I saw any any JSON data, The first thing that comes to my mind was “Respons Manipulation”
let’s see the response to try if it contains any data we can manipulate to achieve a malicious goal
as we can see the response has a parameter name email_verfied:false let’s try to change it toemail_verfied:true and see if the server will accept our manipulated response :)
Guess what….
And now my email is confirmed!! now able to access my dashboard directly without any problem with confirmation,
Steps to reproduce:
1- click sign up with email and enter your email and password
2- intercept the request ==> Response To this request
3- change “email_verified”:false, ==> “email_verified”:true,
TIPS:
- Always try to see the response in any registration process containing JSON data, we can change privilege, role, email verify, etc
Thanks for reading I will be posting more writeups and bug bounty tips Here and on my LinkedIn: https://www.linkedin.com/in/muhammad-elgllad/
