Exploiting Max. Character Limitation

Hi everyone, First of all Happy new year and I hope&Pray you all are safe and sound. I always love to break functionalities and find some cool bugs. As I always highlight, It is very important to understand the functionalities and do search every possible way to break them for finding valid security loopholes. Today I would like to explain a find which falls under this category.

6 months ago, I got a private invite in Hackerone, I quickly opened the invite and saw that it is a cryptobased Program. Since I am not a big fan of Recon, I have started testing all the functionalities one by one. Then I have observed that there is no character limitation for Name field. Now I have two options:

  • I can ignore this since this will anyway fall under informative or P5 or sometimes N/A

OR

  • I can further explore and see where this lengthy name can be a further escalated to a potential threat either to a company or users or functionality.
Thats what we do : )

So started checking all the features and Initially I have found that this is causing DOS attack. But since this is happening only in chrome browser Triage team did not accepted this and closed my report as informative.

Image for post
Image for post

So….

Right! we never give up

and I continued exploring and found that admin users can invite other users and only the admin user can remove the invited user anytime he wants. Removing invited users option exists only in one page where list of all users details like: FirstName, LastName, Email, Role will be displayed. But when the invited person changes their name to lengthy characters then admin user is not able to view remove option.

Image for post
Image for post

So the impact here is that invited user can stay in the team forever. For better understanding, will be adding steps below. Triage team accepted this Report with severity 5.0 and awarded $$$

Image for post
Image for post

Steps:

I hope you like my explanation. I have found multiple other bugs based on character limitation, so always try to escalate when you find such flaws this is the sole purpose of publishing this writeup. Do ping me in twitter if you have any queries. Good Day!

Written by

Bug bounty hunter | QA analyst | Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store