My Recon Automation Found an Email Confirmation Bypass

How a simple parameter led to a complete authentication bypass

Ibtissam hammadi

InfoSec Write-ups

· ~4 min read · October 5, 2025 (Updated: October 5, 2025) · Free: No

I was closing my laptop when my phone buzzed across the desk. My custom recon automation script had found something… weird.

Most days, it flags the usual suspects — open directories, common endpoints. But this was different. One strange parameter on an email verification endpoint that most scanners would overlook. Two hours later, I'd confirmed a complete Email Confirmation Bypass.

Here's the thing we all struggle with in bug bounty hunting: you can run all the automated tools, gather thousands of endpoints, and still miss the subtle logic flaws that lead to the real wins. We've all been there — that frustration when your tools spit out hundreds of potential leads but zero actual vulnerabilities.

This is the exact story of how I discovered one of my coolest bugs, and I'm telling it to you as if we're sharing coffee at a hacker meetup. No jargon, no corporate speak — real talk between friends.

The Step-by-Step Hunt

The First Clue: That "Sus" Parameter

So my recon automation pipeline had spit out this endpoint:

/api/v1/verify?token=abc123&type=email_confirmation

Nothing special at first glance. Every web app has email verification. But my brain went "hmm, that's sus" when I saw the type parameter. Why would you need to specify the type of verification if there's only one type?

Most automated scanners would have missed this — they're great at finding endpoints but struggle to understand context. This is where manual testing makes all the difference in web security.

I fired up Burp Suite and captured the request. The server responded with a standard JSON success message when I used a valid token. So far, nothing unusual. But then I started thinking…

The "What If?" Moment: Breaking Expected Formats

What if the server wasn't properly validating how it received data? We all focus so much on what we send that we forget how we send it.

The original request used standard form-data encoding. But what if I tried sending JSON instead? This is where I started testing for a potential Content-Type validation bypass.

I changed the headers and reformatted the request:

POST /api/v1/verify HTTP/1.1
Content-Type: application/json
Authorization: Bearer [token]

{
  "token": "abc123",
  "type": "email_confirmation"
}

The error message changed completely. Instead of "invalid token," I got "missing required field 'user_id'." My heart started racing — this was the lead I needed.

Connecting the Dots: From Flaw to Full Bypass

The server was processing my JSON differently from the form data. Now I could potentially manipulate more fields than the developers never intended.

I added the missing user_id field, but with a twist:

{
  "token": "abc123",
  "type": "email_confirmation",
  "user_id": "target_user_123",
  "is_verified": true
}

And just like that — the account was mine. No waiting for confirmation emails, no clicking links. The server trusted my is_verified flag without any additional validation.

This Content-Type validation bypass had given me direct control over the verification state, leading to a complete Authentication Bypass.

Proof & The Technical Nitty-Gritty

The Smoking Gun

I won't show the actual company's request/response for obvious reasons, but here's a sanitized version of the exploit:

POST /api/v1/verify HTTP/1.1
Host: api.vulnerable-app.com
Content-Type: application/json
Authorization: Bearer [legitimate_token]

{
  "token": "[any_valid_token]",
  "type": "email_confirmation",
  "user_id": "[target_user_id]",
  "is_verified": true,
  "email_verified": true
}

The server responded with:

{
  "status": "success",
  "message": "Email verified successfully",
  "user": {
    "id": "target_user_123",
    "email": "victim@company.com",
    "verified": true
  }
}

The complete takeover took one request. No complex chaining, no crazy exploitation — a simple logic flaw that gave me full account access.

My Toolchain

Custom recon automation (Python scripts + common tools)
Burp Suite for manual testing and request manipulation
Browser developer tools for understanding API calls
Postman for quickly testing different payload formats

The key wasn't having fancy tools — it was having the curiosity to ask "what if?" at every step .

Key Takeaways for Your Next Hunt

Manual Genius Over Blind Automation

Automation found the door, but manual testing picked the lock. My recon script identified the endpoint, but it took human curiosity to find the vulnerability .

We get so focused on running the next tool, scanning the next target, that we forget the most powerful tool we have: our ability to think creatively about what we're seeing.

Where to Look Next Time

Hammer the auth endpoints in your next API testing session:

/verify, /confirm, /validate endpoints
/reset-password, /change-email functionality
Any endpoint that handles authentication or verification

Pay special attention to:

Content-Type headers — Try JSON, XML, form-data
Parameter pollution — What happens when you send duplicate parameters?
Unexpected fields — Can you add fields the API shouldn't accept?

Go Try This Yourself

Give this method a shot on your next bug bounty hunt. Look beyond the obvious and question every assumption the developers might have made.

Bookmark this article if you found it helpful.

Next time, I'll show you how I chained this Email Confirmation Bypass with an IDOR to get a full account takeover on a major platform. It was absolutely wild.

Happy hunting!