一位测试人员通过业务逻辑阻止用户创建账户,并在测试过程中发现漏洞。利用该漏洞修改未验证邮箱后触发错误提示"Email已存在"。尝试重置密码失败后提交报告,2小时内获反馈但最终标记为重复问题。 2025-6-8 05:41:4 Author: infosecwriteups.com(查看原文) 阅读量:12 收藏
Hello
Today, I will share with you how a Business logic allows me to block any User from creating account
The testing started with one of the programs, I decided to hunt there and started with some recon and subdomain enumeration.
Till the Subfinder finishes, I decided to hunt on the main target.com, and I started my Burp Suite and scrolled through the whole site. I tested a few vulnerabilities like SQLi, ATO. Still, I didn’t find anything, so I just went to the profile to check the if any vulnerability is there While checking the site I Found we can change the email so new email where the new email isn’t verify at that time so I put a random mail and tried to create an account with that new mail and exactly what you think I got error
Email already exists in the databaseI decided to reset the password. If I can, I will reset the link, but here, since the mail is not verified, the link is not sent to the user even after several tries. So I decided to report this low-hanging Vulnerability and created a report to submit it, and after submitting it, I got the notification in just 2 hours.
It got a duplicate (2 days late) of the issue, which is triaged in status
如有侵权请联系:admin#unsafe.sh