Modern web applications heavily rely on email verification to prevent fake registrations and unauthorized access. On paper, it sounds simple: register, receive a link, verify, and proceed.
In practice, when this flow is implemented poorly, it becomes an easy target.
In this post, I’ll walk you through how I bypassed email verification in a vulnerable application by abusing exposed API endpoints. This is A Challenge machine from HackTheBox Named NovaEnergy.
Press enter or click to view image in full size
Step 1 — Registration Roadblock
I started by visiting the application, which provided basic functionality like user registration and login.
Press enter or click to view image in full size
When registering a new account, the application only allowed email addresses from a specific domain: @gonuclear.com
Press enter or click to view image in full size
So I created an account using that domain.