Information Disclosure through Signup Endpoint

Always be Active and Learn from others
  1. [Victim] In browser-1, create a new account with email: <redacted>@gmail.com and Pass: Pass123!
  2. [Attacker] In browser-2, Go to signup form Enter registered email Id: <redacted>@gmail.com
  3. [Attacker] You will see error message like this: “You already have a <redacted> account. Please continue by entering your <redacted> password below.”
  4. [Attacker] Since you do not know the password Enter random password and capture the request in burp suite
  5. [Attacker] Check the server request body.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sunil Yedla

Sunil Yedla

Bug bounty hunter | QA analyst | Security Researcher