赏金猎人系列-如何测试注册(Sign up)功能

赏金猎人系列-如何测试注册(Sign up)功能

声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任。

前言

在正常的打猎(漏洞挖掘)过程中,Sign Up是常见的一个功能,之前写过一篇 注册功能测试小结,但是不是很全, 本文将着重对此功能的测试点进行系统性梳理,鉴于测试点有几十个,所以可能会分为好几期来阐述;

正文

第一种情况

首先尝试注册一下,不仅仅是PC端,移动端也请尝试一波,主要是了解这个公司的注册的流程与处理逻辑

 
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Referer: https://previous.com/path
Origin: https://www.company.com 
Content-Length: Number

firstname=I&lastname=am&[email protected] &password=*****&captcha=Random&token=CSRF

第二种情况

如果你需要商务邮件，尝试使用[email protected]或[email protected]

 
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Referer: https://previous.com/path
Origin: https://www.company.com Content-Length: Number

[email protected]&password=*****&ca ptcha=Random&token=CSR&Ffirstname=I&lastname=am

第三种情况

Gmail把[email protected]和[email protected]作为一个电子邮件，所以当你需要创建多个帐户时，考虑使用这个功能

就是说发送给[email protected]的邮件可能会被[email protected]接受到

[email protected] 
[email protected] 
[email protected] 
[email protected] 
[email protected] 
[email protected] 
[email protected]

第四种情况(Tip)

使用Burp Suite Collaborator创建多个帐户，例如[email protected], [email protected],诸如此类

[email protected] 
[email protected] 
[email protected] 
[email protected]
......

第五种情况(Tip)

如果存在谷歌的ReCAPTCHA机制,请尝试配置Burp Suite的TLS为Pass,例如: *google.com.*

设置步骤:

1.跳转至 Bp 的 Project Configurations

2.跳转至 TLS Pass Through

3.点击add然后输入: .*google.com.*

第六种情况

尝试注册现有的电子邮件地址，例如[email protected]，有时授权令牌将出现在响应

 
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Referer: https://previous.com/path
Origin: https://www.company.com 
Content-Length: Number

firstname=I&lastname=am&[email protected] 
&password=*****&captcha=Random&token=CSRF

第七种情况

尝试注册公司的邮件地址，例如[email protected]，以获得额外的权限或获得更多的功能。

 
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Referer: https://previous.com/path
Origin: https://www.company.com Content-Length: Number

firstname=I&lastname=am&[email protected] 
&password=*****&captcha=Random&token=CSRF

参考

https://docs.bugcrowd.com/researchers/participating-in-program/your-bugcrowdninja-email-address/?fbclid=IwAR3gU2qciYzA3Ks8ZCFV8l5WEIBbN1wEtz1wdyIDlHibKGeB2a54L4yaWcw

https://docs.hackerone.com/hackers/hacker-email-alias.html

https://hackerone.com/reports/246302

https://hackerone.com/reports/2224

https://medium.com/@sakyb7/tale-of-account-takeover-sensitive-info-disclosure-broken-access-control-cea0a5e3a1fd

https://sunilyedla.medium.com/information-disclosure-through-signup-endpoint-86d2d66dfef1

https://zseano.medium.com/how-signing-up-for-an-account-with-an-company-com-email-can-have-unexpected-results-7f1b700976f5

https://www.freecodecamp.org/news/messing-with-the-google-buganizer-system-for-15-600-in-bounties-58f86cc9f9a5/