Comment on page

Registration Vulnerabilities

Takeover
Duplicate Registration
Try to generate using an existing username
Check varying the email:
uppsercase
+1@
add some some in the email
special characters in the email name (%00, %09, %20)
Put black characters after the email: [email protected]                    a
[email protected]@attacker.com
[email protected]@gmail.com
Username Enumeration
Check if you can figure out when a username has already been registered inside the application.
Password Policy
Creating a user check the password policy (check if you can use weak passwords).
In that case you may try to bruteforce credentials.
SQL Injection
****Check this page to learn how to attempt account takeovers or extract information via SQL Injections in registry forms.
Oauth Takeovers
OAuth to Account takeover
SAML Vulnerabilities
SAML Attacks
Change Email
when registered try to change the email and check if this change is correctly validated or can change it to arbitrary emails.
More Checks
Check if you can use disposable emails
Long password (>200) leads to DoS
Check rate limits on account creation
Use username@burp_collab.net and analyze the callback

Pentesting Web - Previous

Rate Limit Bypass

Next - Pentesting Web

Regular expression Denial of Service - ReDoS

Last modified 2yr ago