.png)
1 week ago
18 BOOK THIS SPACE FOR AD
ARTICLE ADHi Everyone,
Hello guys👋👋 In this article, I’m going to talk about a How to bypass Username Restction and lead to create fake user name or fake organisation. I discovered in an HackerOne bug bounty program which i m going to represent as redacted that allowed me to get 100$ Reward 💵💶💷.
Attacker can create his account what is not viewable . Attacker can do this for many motive like . A program ban a researcher for any reason and don’t want to add the researcher future . But attacker creates a profile which is never viewable and while the program admins invite the researcher or reviewing reports they want to verify the researchers details but it can’t be done for this issue🤔.
Username can only contain alphanumeric characters (letters A-Z, numbers 0-9) with the exception of underscores characters bypassed.
Go to https://redacted.com/profiles/Edit username and enter to the special characters, see the error only allowed (letters A-Z, numbers 0-9)After enter to the normal characters click save and capcher the request burp suite send to repeater ,add to the special characters[Ex: !.] send to the request after successfully updated our username
As a victim name is Lisa , an attacker create fake names for Lisa. or L!sa or Lisa[space] add space charcter use to create fake profiles.
I Reported at - Reported December 11, 2023, 10:31am UTCRewarded at - January 9, 2024, 8:29am UTC— — — — — — — — — — — — — — — — — — — — — — — —
Click to see my 50+ POC Video’s On YouTube — LinkThanks for Reading & Happy Hunting! 🤗
https://www.buymeacoffee.com/Ranji
Sharing Bug Bounty Tips on
Bengali (Bangladesh) · 
English (United States) ·