Post

Bypass of Username Policy Breaking the Rules with a Simple Trick

Posted Updated
Bypass-of-Username-Policy-Breaking-the-Rules-with-a-Simple-Trick — blog writeup cover
Bypass-of-Username-Policy-Breaking-the-Rules-with-a-Simple-Trick — blog writeup cover
By Mohamed Mahmoud
1 min read
Bypass of Username Policy Breaking the Rules with a Simple Trick

Bypass of Username Policy — Breaking the Rules with a Simple Trick

Late one evening, I decided to dive into some bug hunting for a quick session. I noticed the application had strict username rules during registration — special characters like @@ or ... or numeric-only usernames like 123 were not allowed. Also, I couldn’t change my username after signing up. It seemed solid.

Registration Rules

Process

I registered normally and went to my profile settings. However, the option to change my username was disabled.

Profile Disabled 1

Profile Disabled 2

Profile Disabled 3

Exploit

I didn’t stop there. I decided to change my bio and intercepted the request using Burp Suite.

While reviewing the request, I spotted that I could add a parameter that doesn’t exist in the normal request — and it allowed me to modify my username.

After I added the parameter, I sent the request again, and it just worked!

Modified Request Worked

Conversation

Me: Sending the bug.
Triage Team: Waiting for duplicate me.

Triage Meme

Result

My profile was successfully updated with a username format that was supposed to be blocked.

Final Result

Bug Hunting
Bug trick
This post is licensed under CC BY 4.0 by the author.