Bypass Email Verification

In this post i am going to describe you a low hanging vulnerability which was awarded $250 as reward.

While hunting for vulnerabilities in one of private program it was observed that website has implemented email verification mechanism. When a user registers account on that site then he needs to verify that account by entring 4 digit OTP send to his registered email id.

Just seeing this functionality i thought of bruteforcing 4 digit OTP but my badluck, a rate limiting was implemented by that application.Then i left the hopes for this functionality and tried some other attack vectors on that application.

On the next day while having cup of coffie an idea stricked and created a new account with different email id and i analyzed the request response for for previous day as well.

This time while registering i tunred on the response intercepter on and to my luck the stricked idea was perfect there was intresting information in response.


POST /registerNewUser HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101 Firefox/52.0

Accept: application/json, text/javascript, /; q=0.01

Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate

Referer: https://www.test.comlogin

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 171


HTTP/1.1 200 OK Server: nginx

Date: Thu, 13 May 2018 03:21:11 GMT

Content-Type: application/json; charset=utf-8

Content-Length: 54 Connection: close X-Powered-By: Express Cache-Control: private, no-cache, no-store, must-revalidate Expires: -1 Pragma: no-cache

Access-Control-Allow-Origin: *

X-Frame-Options: SAMEORIGIN

ETag: W/”36-aOthr11oDCD1SR16FRVbt9UxdD”

Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{“key”:”the verification link”,”success”:1}

Just after seeing the response link there was no time to waste, i quickly made a POC and reported the vulnerability and it was awarded with $250 as bounty.

Share This: