Registration Vulns

The signup flow is the front door where user input first hits the database and authentication layer — making it a goldmine for bugs. From logic flaws to critical account takeovers.

24 Categories53 CommandsCopy Ready

Registration Vulnerabilities

Registration system vulnerability testing including mass assignment, duplicate accounts, and OTP bypass.

Last updated: 2026-05-15

Intro

Introduction

1 commands

1This guide covers 23+ registration vulnerability types with step-by-step reproduction steps.

The signup flow is the 'front door' where user input first hits the database and authentication layer — making it a goldmine for bugs: logic flaws, critical vulnerabilities, and account takeovers.

Bug 1

1. Duplicate Registration / Account Overwrite

2 commands

1#1 If login succeeds with the new password, the old account is overwritten — full takeover

Create account A (victim@gmail.com) → Log out → Re-register same email with different password → Login with new password

2#2 Case sensitivity bypass — backend checks exact match but DB stores case-insensitive

If abc@gmail.com exists → Register Abc@gmail.com or aBc@gmail.com

Bug 2

2. Denial of Service via Large Input

2 commands

1#1 Excessively long strings force server to allocate immense resources — may cause 500 error or crash

python -c "print('A'*20000)" → Paste into password field → Submit

2Indicates lack of input length validation on the server side

Monitor response time. If request hangs and returns 500 Internal Server Error, server struggled to process the input.

Bug 3

3. Lack of Rate Limiting (Mass Registration)

2 commands

1#1 If hundreds of consecutive requests return 200 OK without CAPTCHA or blocks, rate limiting is missing

Fill signup → Intercept in Burp → Send to Intruder → Mark email as payload position → Set Numbers 1-1000 → Start

2Critical for abuse prevention

Mass account registration can flood the database, send spam, and enable ban evasion.

Bug 4

4. Stored XSS in Registration Fields

4 commands

1#1 Classic XSS payload for Username / Name fields

"><img src=x onerror=alert(1)>

2#2 SVG-based XSS payload

<svg/onload=confirm(1)>

3#3 Email field XSS — payload before @ symbol

"><svg/onload=confirm(1)>"@x.y

4Bypass techniques if basic tags are blocked

Try case variation (<ScRiPt>), different event handlers (onmouseover, onsubmit), or encoded payloads

Bug 5

5. Insufficient Email Verification — Response Manipulation

3 commands

1#1 Response manipulation — client-side verification bypass

Intercept JSON response after signup → Look for "is_verified": false, "status": "pending" → Change to true/success → Forward

2#2 Status code manipulation to bypass verification gates

Intercept 403/302 response → Change status to 200 OK → Remove Location header

3#3 Direct/forced browsing — pages might only be hidden, not protected server-side

Register without verifying → Try force-browsing: /user/dashboard, /account/settings, /onboarding/step2

Bug 6

5b. Email Verification Swap (Stale Token)

2 commands

1#1 If victim@mail.com becomes verified using the old token, email swap bypass exists

Sign up with attacker@mail.com → Receive verification link (DON'T open) → Change email to victim@mail.com → Open original link for attacker@mail.com

2Critical — pre-account takeover via token reuse

Token is tied to user ID, not email address — stale token verifies the new email.

Bug 7

6. Weak Registration Implementation

2 commands

1#1 Block known temporary email providers to prevent abuse and ban evasion

Try registering with disposable email: @mailinator.com, @tempmail.com, @10minutemail.com

2#2 Registration over HTTP sends password in plaintext — vulnerable to MITM

Replace https:// with http:// on the signup page URL

Bug 8

7. Weak Password Policy

4 commands

1#1 Easily guessable passwords should be rejected

Try: 123456, password, qwerty, admin

2#2 Username as password — common lazy pattern

Try password = username

3#3 Email as password — should be blocked

Try password = email address

4#4 Weak security questions undermine future password reset flows

Check security questions set during signup — are they easily guessable?

Bug 9

8. Path Overwrite (Route Collision)

3 commands

1#1 Modern apps — register matching endpoint names

If profiles are at target.com/{username} → Register: login, admin, signup, api, dashboard

2#2 Legacy apps — register matching file names

Register: index.php, login.php, signup.php, admin.aspx

3Attacker controls a system-route URL

Navigate to target.com/login.php → If your profile loads instead of the login page, route collision succeeds.

Bug 10

9. Server-Side Validation Bypass

2 commands

1#1 If registration succeeds despite breaking frontend rules, server lacks proper validation

Intercept signup request → Modify: empty username/email, short password, invalid email (test@test, a@b), special chars

2Never trust client-side validation alone

Bypassed validation can lead to: malformed accounts, stored XSS, broken workflows, injection vulnerabilities.

Bug 11

10. Hidden / Legacy Registration Endpoints

2 commands

1#1 Discover hidden signup endpoints that may skip validations

Crawl for: /api/v1/register, /auth/create, /user/create, /legacy/signup, /mobile/register

2Easy target for abuse

Compare validation between endpoints — legacy ones often skip email verification, rate limiting, or password rules.

Bug 12

11. HTTP Parameter Pollution (HPP)

2 commands

1#1 Duplicate parameters — server may pick the wrong value

Intercept signup → email=victim@gmail.com&email=attacker@gmail.com

2Dangerous when backend handles duplicates inconsistently

Can lead to: Account takeover, bypassed validation, corrupted user records.

Bug 13

12. Weak / Predictable Verification Links

2 commands

1#1 Predictable tokens allow brute-forcing verification links

Register → Inspect verification link → Look for: Base64 email, short tokens, incrementing IDs

2Hijack the verification flow entirely

If tokens are guessable, attackers can verify accounts they don't own.

Bug 14

13. Punycode / IDN Homograph Bypass

2 commands

1#1 Unicode homograph attack — register with lookalike characters

admin@example.com vs аdmin@example.com (Cyrillic 'а') — they look identical but are different strings

20-click account takeover — see: infosecwriteups.com/punycode-idn-attacks

If app normalizes both to same value, use Unicode version to takeover legitimate account.

Bug 15

14. OTP Brute-Force During Signup

2 commands

1#1 If OTP attempts aren't rate-limited or locked out, they can be brute-forced

Start signup → Intercept OTP verification → Send rapid sequential guesses → Try changing IPs

2Critical — implement strict OTP rate limiting

Attacker can verify any email/phone without owning it — breaks the trust model entirely.

Bug 16

15. Weak/Reusable Session Tokens During Signup

2 commands

1#1 If session doesn't rotate, it's vulnerable to session fixation

Start signup → Capture session cookie → Complete verification → Compare session ID before/after

2#2 Weak tokens enable hijacking of freshly created accounts

Try registering multiple accounts without refreshing token → Reuse same token across accounts/devices

Bug 17

15b. Null Byte Injection (%00)

2 commands

1#1 Null byte causes truncation — validation sees one value, storage gets another

Register: attacker@mail.com%00victim@mail.com or username%00.jpg

2Legacy systems are especially vulnerable

If backend truncates at null byte, you can override account attributes or bypass checks.

Bug 18

16. Missing Email Confirmation Enforcement

2 commands

1#1 If app treats account as fully active without verification, it's vulnerable

Register with random email → Skip confirmation → Try logging in directly → Try profile update or password reset

2Enforce email verification before granting access

Attackers can register with any email and impersonate other users.

Bug 19

17. Session Fixation During Signup & Verification

2 commands

1#1 If session ID stays the same, platform is vulnerable to fixation

Start signup → Save session ID → Complete signup + verification → Compare session ID before/after

2Session ID must rotate after signup and verification

Attackers can force victims into attacker-controlled sessions and takeover newly created accounts.

Bug 20

18. Cache Control Issues

2 commands

1#1 Cached sensitive data on shared devices is a privacy risk

Complete signup/verification → Use browser back button → Inspect cached pages for OTP, tokens, verification status

2Prevent sensitive data exposure via cached pages

Signup/verification pages must set: Cache-Control: no-store, no-cache, Pragma: no-cache

Bug 21

19. Cross-Account IDOR After Signup

2 commands

1#1 If one account can modify or view another's onboarding data, IDOR exists

Create accounts A and B → While both in onboarding, capture API calls → Replace IDs/emails from A with B

2IDOR during registration can leak PII or allow account manipulation

Onboarding endpoints often lack strict access control — test early in the flow.

Bug 22

20. Mass Assignment in JSON Registration

3 commands

1#1 Mass assignment — add extra fields to manipulate server-side logic

Intercept JSON signup request → Add unexpected fields: role, is_admin, is_verified, organization_id

2#2 Parameter tampering via alternate casing or nested objects

Change parameter casing or shape (role vs Role, user[role]) to bypass server filters

3Detailed article covering all JSON signup manipulation techniques

Full guide: infosecwriteups.com/mass-assignment-registration-flows

Bug 23

Conclusion

1 commands

1Check all 20+ categories during: Web app pentests, Bug bounty hunting, Secure code reviews

A signup flow carries many hidden risks: duplicate accounts, missing rate limits, weak passwords, broken verification. Tightening registration early makes the entire app more secure.

Tools

Tools & Resources

Burp Suite

Intercept, modify, replay registration requests for testing

Punycode/IDN Attack Reference

Full walkthrough of Punycode homograph account takeover

Mass Assignment Guide

Comprehensive JSON registration manipulation techniques

Registration Vulns

The signup flow is the front door where user input first hits the database and authentication layer — making it a goldmine for bugs. From logic flaws to critical account takeovers.

24 Categories53 CommandsCopy Ready

Registration Vulnerabilities

Registration system vulnerability testing including mass assignment, duplicate accounts, and OTP bypass.

Last updated: 2026-05-15

Intro

Introduction

1 commands

1This guide covers 23+ registration vulnerability types with step-by-step reproduction steps.

The signup flow is the 'front door' where user input first hits the database and authentication layer — making it a goldmine for bugs: logic flaws, critical vulnerabilities, and account takeovers.

Bug 1

1. Duplicate Registration / Account Overwrite

2 commands

1#1 If login succeeds with the new password, the old account is overwritten — full takeover

Create account A (victim@gmail.com) → Log out → Re-register same email with different password → Login with new password

2#2 Case sensitivity bypass — backend checks exact match but DB stores case-insensitive

If abc@gmail.com exists → Register Abc@gmail.com or aBc@gmail.com

Bug 2

2. Denial of Service via Large Input

2 commands

1#1 Excessively long strings force server to allocate immense resources — may cause 500 error or crash

python -c "print('A'*20000)" → Paste into password field → Submit

2Indicates lack of input length validation on the server side

Monitor response time. If request hangs and returns 500 Internal Server Error, server struggled to process the input.

Bug 3

3. Lack of Rate Limiting (Mass Registration)

2 commands

1#1 If hundreds of consecutive requests return 200 OK without CAPTCHA or blocks, rate limiting is missing

Fill signup → Intercept in Burp → Send to Intruder → Mark email as payload position → Set Numbers 1-1000 → Start

2Critical for abuse prevention

Mass account registration can flood the database, send spam, and enable ban evasion.

Bug 4

4. Stored XSS in Registration Fields

4 commands

1#1 Classic XSS payload for Username / Name fields

"><img src=x onerror=alert(1)>

2#2 SVG-based XSS payload

<svg/onload=confirm(1)>

3#3 Email field XSS — payload before @ symbol

"><svg/onload=confirm(1)>"@x.y

4Bypass techniques if basic tags are blocked

Try case variation (<ScRiPt>), different event handlers (onmouseover, onsubmit), or encoded payloads

Bug 5

5. Insufficient Email Verification — Response Manipulation

3 commands

1#1 Response manipulation — client-side verification bypass

Intercept JSON response after signup → Look for "is_verified": false, "status": "pending" → Change to true/success → Forward

2#2 Status code manipulation to bypass verification gates

Intercept 403/302 response → Change status to 200 OK → Remove Location header

3#3 Direct/forced browsing — pages might only be hidden, not protected server-side

Register without verifying → Try force-browsing: /user/dashboard, /account/settings, /onboarding/step2

Bug 6

5b. Email Verification Swap (Stale Token)

2 commands

1#1 If victim@mail.com becomes verified using the old token, email swap bypass exists

Sign up with attacker@mail.com → Receive verification link (DON'T open) → Change email to victim@mail.com → Open original link for attacker@mail.com

2Critical — pre-account takeover via token reuse

Token is tied to user ID, not email address — stale token verifies the new email.

Bug 7

6. Weak Registration Implementation

2 commands

1#1 Block known temporary email providers to prevent abuse and ban evasion

Try registering with disposable email: @mailinator.com, @tempmail.com, @10minutemail.com

2#2 Registration over HTTP sends password in plaintext — vulnerable to MITM

Replace https:// with http:// on the signup page URL

Bug 8

7. Weak Password Policy

4 commands

1#1 Easily guessable passwords should be rejected

Try: 123456, password, qwerty, admin

2#2 Username as password — common lazy pattern

Try password = username

3#3 Email as password — should be blocked

Try password = email address

4#4 Weak security questions undermine future password reset flows

Check security questions set during signup — are they easily guessable?

Bug 9

8. Path Overwrite (Route Collision)

3 commands

1#1 Modern apps — register matching endpoint names

If profiles are at target.com/{username} → Register: login, admin, signup, api, dashboard

2#2 Legacy apps — register matching file names

Register: index.php, login.php, signup.php, admin.aspx

3Attacker controls a system-route URL

Navigate to target.com/login.php → If your profile loads instead of the login page, route collision succeeds.

Bug 10

9. Server-Side Validation Bypass

2 commands

1#1 If registration succeeds despite breaking frontend rules, server lacks proper validation

Intercept signup request → Modify: empty username/email, short password, invalid email (test@test, a@b), special chars

2Never trust client-side validation alone

Bypassed validation can lead to: malformed accounts, stored XSS, broken workflows, injection vulnerabilities.

Bug 11

10. Hidden / Legacy Registration Endpoints

2 commands

1#1 Discover hidden signup endpoints that may skip validations

Crawl for: /api/v1/register, /auth/create, /user/create, /legacy/signup, /mobile/register

2Easy target for abuse

Compare validation between endpoints — legacy ones often skip email verification, rate limiting, or password rules.

Bug 12

11. HTTP Parameter Pollution (HPP)

2 commands

1#1 Duplicate parameters — server may pick the wrong value

Intercept signup → email=victim@gmail.com&email=attacker@gmail.com

2Dangerous when backend handles duplicates inconsistently

Can lead to: Account takeover, bypassed validation, corrupted user records.

Bug 13

12. Weak / Predictable Verification Links

2 commands

1#1 Predictable tokens allow brute-forcing verification links

Register → Inspect verification link → Look for: Base64 email, short tokens, incrementing IDs

2Hijack the verification flow entirely

If tokens are guessable, attackers can verify accounts they don't own.

Bug 14

13. Punycode / IDN Homograph Bypass

2 commands

1#1 Unicode homograph attack — register with lookalike characters

admin@example.com vs аdmin@example.com (Cyrillic 'а') — they look identical but are different strings

20-click account takeover — see: infosecwriteups.com/punycode-idn-attacks

If app normalizes both to same value, use Unicode version to takeover legitimate account.

Bug 15

14. OTP Brute-Force During Signup

2 commands

1#1 If OTP attempts aren't rate-limited or locked out, they can be brute-forced

Start signup → Intercept OTP verification → Send rapid sequential guesses → Try changing IPs

2Critical — implement strict OTP rate limiting

Attacker can verify any email/phone without owning it — breaks the trust model entirely.

Bug 16

15. Weak/Reusable Session Tokens During Signup

2 commands

1#1 If session doesn't rotate, it's vulnerable to session fixation

Start signup → Capture session cookie → Complete verification → Compare session ID before/after

2#2 Weak tokens enable hijacking of freshly created accounts

Try registering multiple accounts without refreshing token → Reuse same token across accounts/devices

Bug 17

15b. Null Byte Injection (%00)

2 commands

1#1 Null byte causes truncation — validation sees one value, storage gets another

Register: attacker@mail.com%00victim@mail.com or username%00.jpg

2Legacy systems are especially vulnerable

If backend truncates at null byte, you can override account attributes or bypass checks.

Bug 18

16. Missing Email Confirmation Enforcement

2 commands

1#1 If app treats account as fully active without verification, it's vulnerable

Register with random email → Skip confirmation → Try logging in directly → Try profile update or password reset

2Enforce email verification before granting access

Attackers can register with any email and impersonate other users.

Bug 19

17. Session Fixation During Signup & Verification

2 commands

1#1 If session ID stays the same, platform is vulnerable to fixation

Start signup → Save session ID → Complete signup + verification → Compare session ID before/after

2Session ID must rotate after signup and verification

Attackers can force victims into attacker-controlled sessions and takeover newly created accounts.

Bug 20

18. Cache Control Issues

2 commands

1#1 Cached sensitive data on shared devices is a privacy risk

Complete signup/verification → Use browser back button → Inspect cached pages for OTP, tokens, verification status

2Prevent sensitive data exposure via cached pages

Signup/verification pages must set: Cache-Control: no-store, no-cache, Pragma: no-cache

Bug 21

19. Cross-Account IDOR After Signup

2 commands

1#1 If one account can modify or view another's onboarding data, IDOR exists

Create accounts A and B → While both in onboarding, capture API calls → Replace IDs/emails from A with B

2IDOR during registration can leak PII or allow account manipulation

Onboarding endpoints often lack strict access control — test early in the flow.

Bug 22

20. Mass Assignment in JSON Registration

3 commands

1#1 Mass assignment — add extra fields to manipulate server-side logic

Intercept JSON signup request → Add unexpected fields: role, is_admin, is_verified, organization_id

2#2 Parameter tampering via alternate casing or nested objects

Change parameter casing or shape (role vs Role, user[role]) to bypass server filters

3Detailed article covering all JSON signup manipulation techniques

Full guide: infosecwriteups.com/mass-assignment-registration-flows

Bug 23

Conclusion

1 commands

1Check all 20+ categories during: Web app pentests, Bug bounty hunting, Secure code reviews

A signup flow carries many hidden risks: duplicate accounts, missing rate limits, weak passwords, broken verification. Tightening registration early makes the entire app more secure.

Tools

Tools & Resources

Burp Suite

Intercept, modify, replay registration requests for testing

Punycode/IDN Attack Reference

Full walkthrough of Punycode homograph account takeover

Mass Assignment Guide

Comprehensive JSON registration manipulation techniques