Description

Administrator users can create multiple users with the same username which breaks the logic of the web application.

Proof of Concept

Step 1: At Administration>User Management>Manager User Screen, click on “New Local User” button

Step 2: Fill in all the required fields, notice that the email is [email protected].

Step 3: Intercept the above request

Step 4: Send the request to “Intruder”, set payload position as image below

Step 5: Set the number of payloads to 100

Step 6: Set the concurrent requests to 30 and click “Start attack”

Step 7: 30 requests creating the user with the username “[email protected]” will be sent at the same time. Looking at the result, we can see there are 3 users with the username “pentest@gmail” created.

Step 8: Send the request again and see that it fails because the user “[email protected]” was created before, which means by default, it is unacceptable that 2 users with the same username in this system.

Step 8: Go to the User Management screen to confirm that.