hacktricks/pentesting-web/registration-vulnerabilities.md
2021-06-27 14:55:59 +00:00

1.2 KiB

Registration Vulnerabilities

Takeover

Duplicate Registration

  • Try to generate using an existing username
  • Check varying the email:
    • uppsercase
    • +1@
    • add some some in the email
    • special characters in the email name %00, %09, %20
    • Put black characters after the email: test@test.com a

Username Enumeration

Check if you can figure out when a username has already been registered inside the application.

Password Policy

Creating a user check the password policy check if you can use weak passwords.
In that case you may try to bruteforce credentials.

SQL Injection

****Check this page to learn how to attempt account takeovers or extract information via SQL Injections in registry forms.

Oauth Takeovers

{% page-ref page="oauth-to-account-takeover.md" %}

Redirects

Pages usually redirects users after login, check if you can alter that redirect to cause an Open Redirect.

More Checks

  • Check if you can use disposable emails
  • Long password >200 leads to DoS
  • Check rate limits on account creation