.png)
4 months ago
30 BOOK THIS SPACE FOR AD
ARTICLE ADI registered to the site and verified the email then I logged in.
First, I went to account setting and change my email, this message appeared to me
From this message, I got an idea to bypass this verification using Race condition. Because if the site just needs a valid verification URL and does not confirm that verification URL related to the email address, we can bypass it.
I intercepted change email request and send it to repeater
to test it we need to send the request at least 2 times so send it to the repeater again
In the first one add the email you want to take over
Add your own email in the second one.
then create group to be able to send the two requests in the same time
Now click the down arrow and choose send group in parallel
finally, send the two requests
Unexpected moment, the second email (spider4@gmail.com) has verification URL
I opened it and no error :)
and when I opened my dashboard I found that my email is admin@example.com — not my email — and It is verified.
Bengali (Bangladesh) · 
English (United States) ·