Easy $$$ via API params manipulation leading to bypassing the email verification block

Fares Walid (SirBugs)
3 min readMar 18, 2023

--

Hi Boyzz, Hope you are doing well today !! ❤
The talk today is about 1 of my last findings !!
Where I manipulated the API parameters to control the response of the server to me !!
Since I am not permitted to disclose any information about the website yet, and the report is not disclosed cuz It’s a priv8 program .. We are gonna call the website: target.com

First of all .. On the signup request/endpoint in our affected API, I see here in the sign-up request some parameters normally signing me up !!

POST /endpoints/users/register HTTP/2
Host: dashboard.target.com
Cookie: xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json
Referer: <https://dashboard.target.com/register?_gl=1*1exXxXxXxXxXxXxXx
Content-Type: application/json
Content-Length: 765
Origin: <https://dashboard.target.com>

{"email_address":"xXxXxXxXx@yopmail.com","password":"xXxXxXxXxXx","is_trial":true,"ga_client_id":"1571714364.1679015602","ga_document_referrer":"<https://www.target.com/","grecaptcha_token":"03AFY_a8VcsIMfvamIr5EgfVHmkeTGDKTlYRLtjFvQ4v2pf5Bb46sS_V2K1fip9gfaqluHmhCBwdGtnThqLgeT-hRu4_8GV39AzUbFKWvStLJNKDdvNRpp1rewGNapK3eOAp_vT5Xv4CYdYsopUpJioeWf4CZDIvw4E58iuYzbKV-fXXEv7ixKAylIGagvipfD5Pf-Ee_4yPLgZJylbEOxdpN-IblC2KvdK404uNo7WK8WwenBL8vVn5rpnqLqBQIJ16qMkfETixC_QKchU8YIreTuUXnnBsMp4bn1-n-Dpn2O-9IfFswxa1ZjK_qLB0gpy-BcYpjJqpfvbsMCEHOMFZMCRdlB4YMnajM4rYu8cCB_gnTajdoUso6Am3T8YThj9aYjGUEP8e0jyaBWYLqMBMbgGRXkIss6FXMRk7-oFi80in4PiacEV7bvZHSimIotTlEjk0Ou6fZ1uxy_sBVYTqPMiqLRAgJlh-SrGHkix55wIGtbVkLSZaLnBF6RuywfwSOHg>"}

But what actually got my looks, is the response here .. Cuz it was:

Now I though if i can manipulate the parameter called email_verified , and I may be able to change Its value to true on sending the request itself.

I quickly Intercepted the request and added “email_verified”:true, in the post data while signing-up

Now guess what .. It worked totally fine !!

my email is confirmed even I didn’t activate or clicked the activation link !!

As we know when we are asked for a verification we face a page that saying “please verify to continue or something like this blablabla”

But my dashboard is now on and everything is working fine !!

Submitted as Medium, Changed as low Severity.
But anyway I enjoyed it and of course I got a small bounty alhamdulillah ❤

Thank you all for reading and for your time ❤ I wish you had some fun with me and liked this write-up inshallah ❤
as soon as I get something interesting to write about it, I am gonna share it too :D

Have fun and keep digging ❤
My Twitter

Follow me on my github, Recently I am making and posting some new tools that I am making that could really help you guys ❤
My Github

--

--

Fares Walid (SirBugs)

Security researcher & Bug Hunter & Py,Rb,Pl,Go Cod3r & Malware L0v3r