Bypassing the block of Security Domain Restriction and normally invite blocked domains with special characters “İ”
Summary:
Hey sub, Hope you are doing well today inshallah <3
I found a bug that allows the users to invite someone with a blocked domain in the project ..
If the owner for example made a rule that no one can invite emails of
yopmail.com I would be able to invite them normally and break his rules with special charachters ..We gonna use “İ” instead of “I” or “i”
Steps to reproduce:
-
There sould be a rule at first blocking the domain for example
yopmail.com, add it from: Settings ⇒ Security ⇒ Domain Restrictions ⇒ Deny Only ⇒ and addyopmail.com -
Go into your inviting dashboard from: Settings ⇒ Users ⇒ Invite Users
-
If we tried to invite someone now with the blocked domain, We gonna get error saying:
-
Now Let’s Invite “email@yopmaİl.com” instead of “[email protected]”
-
Here we go, It’s invited successfully:
-
and I receive a message of inviation on the email normally:
-
Thank You <3
Note:
- You can use this backup for more special chars: https://0xacb.com/normalization_table
Impact
- Breaking the owner’s rules and inviting a blocked domain to the project
- rules violation
版权声明:admin 发表于 2024年3月22日 下午2:13。
转载请注明:Bypassing the block of Security Domain Restriction and normally invite blocked domains with special characters “İ” | CTF导航
转载请注明:Bypassing the block of Security Domain Restriction and normally invite blocked domains with special characters “İ” | CTF导航
相关文章
