Blocking Users from Registration

Let’s begin ,

I was hunting on a public program so just started with some basic recon and Info gathering stuff , at this point i mostly try to find the Origin-IP of target Because i don’t want to mess-up with Firewalls. for this

Now lets get back to Bug………..

we will assume target as paisa.com, it has a login and registration form at endpoint ‘ /create’ .

At registration we have to fill 3 field to create an account . Email , OTP and Password. the process of account creation is

I have tried several Bug types on registration form but no luck , while playing with parameters like removing anyone or sending unexpected data type or special characters. i have noticed something unusual response when i try to remove Password field , so i continued playing with no password field and changing other 2 fields email and OTP respectively.

Playing long with this parameters i got 200 OK but don’t know what actually happened. the request look like

After investigating i found that account was created but we can’t login , because password is required for login and we have not created it while registration,

So, i have tried creating password by going to “forget password” option and unfortunately password got created, i was sad but tried to login using that credential in a hope that i will find something inside,

but wait i am still unable to login to account as it says “Your email is not verified yet” and there is no other option to verify email then using OTP while registration.

It is OTP bypass and User Block

Result :- User Account is Blocked by attacker and now he can’t create account. This vulnerability can be used to disrupt paisa.com user acquisition process by preventing new users from signing up. It could also be leveraged in more targeted attacks against specific users.