Exploiting Max. Character Limitation
Hi everyone, First of all Happy new year and I hope&Pray you all are safe and sound. I always love to break functionalities and find some cool bugs. As I always highlight, It is very important to understand the functionalities and do search every possible way to break them for finding valid security loopholes. Today I would like to explain a find which falls under this category.
6 months ago, I got a private invite in Hackerone, I quickly opened the invite and saw that it is a cryptobased Program. Since I am not a big fan of Recon, I have started testing all the functionalities one by one. Then I have observed that there is no character limitation for Name field. Now I have two options:
- I can ignore this since this will anyway fall under informative or P5 or sometimes N/A
OR
- I can further explore and see where this lengthy name can be a further escalated to a potential threat either to a company or users or functionality.
So started checking all the features and Initially I have found that this is causing DOS attack. But since this is happening only in chrome browser Triage team did not accepted this and closed my report as informative.
So….
and I continued exploring and found that admin users can invite other users and only the admin user can remove the invited user anytime he wants. Removing invited users option exists only in one page where list of all users details like: FirstName, LastName, Email, Role will be displayed. But when the invited person changes their name to lengthy characters then admin user is not able to view remove option.
So the impact here is that invited user can stay in the team forever. For better understanding, will be adding steps below. Triage team accepted this Report with severity 5.0 and awarded $$$
Steps:
- Login as User-1, create business and invite User-2
- As User-2, join business of User-1.
- Now user-2 will update his name to lengthy name [More than 1000 characters].
- Now User-1 wants to remove User-2, so they should go to Go to settings > Members
- Here for the User-1, you will not find remove option.
I hope you like my explanation. I have found multiple other bugs based on character limitation, so always try to escalate when you find such flaws this is the sole purpose of publishing this writeup. Do ping me in twitter if you have any queries. Good Day!