User name is already exist
السلام عليكم ورحمة الله وبركاته
Peace upon you everybody,
in this small write-up, we will discuss a bug that allowed me to bypass the low-implementation captcha mechanism in the registration form.
TL;DR:
In the sign-up form we enter username, email, password and solve the captcha function, what’s wrong is 2 major problems:
1- captcha was only 3 chars and only alphabet no numbers no special chars
2- once user sign-up and before confirming email with the link, a user gets registered in the DB forever
so what I did is that, with crunch I calculated all possible permutations with 3 alphabet chars it equals nearly 17500 Possibilities with crunch and send it to intruder .
Attack scenario:
what if we tried to register with all possible username we just have about 17500 Possibilities to bypass the captcha and hence we can block any next user from registering with the site “user name already exist”.
Steps:
1- go to the sign-up page, enter dummy data and send the request to burp intruder tab
2- with crunch generate with minimum and maximum of 3 chars and all alphabet chars
3- specify captcha parameter in the intruder and paste crunch output to the payloads section
4- hit “start attack” and watch the server’s response length
once it changed, we hit the right captcha and username created successfully….
and that’s it
thank you for reading! hope you enjoyed it…
you can find me on twitter @0xMohamed_Ayad
also, Linkedin @0xmh3yad
