stuartpb
commented
7 years ago Notes on profiling GoDaddy (I started using my dummy accounts repo more during this, and saved a couple of specimen emails - future PRs may look more like a link to that repo):
The registration form doesn't reject a username of... just five spaces?
Can't handle plus signs in an email address
Email address is auto-filled as a suggested username when changing input focus away from "valid" email
There legitimately do not appear to be restrictions on usernames: I picked s-->?://<script>alert(1)</script> (though I thought I put spaces in it, too).
registration sends a confirmation email
current and new password forms are show/hide independently, the change form links to the password reset page
invalid accounts in password reset are rejected with the email always highlighted as the problem
it looks like password reset might cause some kind of logout? or maybe my session just got too old?
now I tried logging in and I get a straight-up 403 plaintext "Access Denied" response when loading www.godaddy.com
the change password page doesn't work either so it looks like they banned the account, kek
Yes, it's bad that both of these changes are on the same commit, but I couldn't bring myself to add a
username.reminder.urlthat was so obviously mis-mirroringpassword.reset.*.request.url.