Hello everyone, I hope all is okay with you.
Many websites feature sign-up pages that are only accessible to employees, but sometimes you may bypass the security and log in as an anonymous user. In this article, I’ll discuss different techniques that may be useful to you and a real-life scenario.
I began with wur.nl, a public program for Wageningen University, after gathering subdomains and taking screenshots with the Aquatone tool.
I discovered a target that I was interested in, so let’s go to work on it.
Usually, when I begin working on a target, the first thing I do is sign up for a fake account and browse the target to understand the functionalities to can work on it.
Unfortunately, the register allowed only for WUR-email address.
1] If you register with Target email, there might not be an activation code sent, try doing the following:
2] Response manipulation during the registration process
Response manipulation: technique that is used to make the target display some UI elements it shouldn’t. It can be used to find new endpoints, buttons, and also to trigger some new requests. Sometimes you can also bypass Password restrictions or OTPs
For example if I found thing like
status:false change it to status:true and so on
3] parameter pollution technique, for example
Try doing the following:
a] Adding parameters with the same key: value like
b] Adding parameter with incremental key: value pairs like
4] Sometimes, a list of values for the email parameter can be added to bypass the security, like this
email=[‘[email protected]’, ‘[email protected]’]
HTTP Parameter Pollution (HPP) : is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information, You can try this technique on many places like password change, 2FA, comments, profile photo upload, on a parameter where API key is passed, OTP etc.
When you manipulate any parameter, its manipulation depends on how each web technology is parsing their parameters, For further details about parsing, go to this website: https://book.hacktricks.xyz/pentesting-web/parameter-pollution.
5] Playing with the value itself, Sometimes, developers write code with weak regex that can be bypassed in a variety of ways, like the following.
Regex: is a sequence of characters that specifies a search pattern in text. Usually such patterns are used by string-searching algorithms for “find” or “find and replace” operations on strings, or for input validation For example email validation, For further details about regex, go to this website: https://regexr.com/
[email protected]@attacker.com
OR
[email protected]@target.com
Other techniques:
OR
## I started with this
It’s working, and I was able to log in :)
After logging in, I saw that I needed to activate my account in order to use all the features. The website offers a button to do this, so I used the burp collaborator payload to check if I would receive interaction or not, which is why I’m writing this in the registration process.
And I got this