Closed rafbel closed 4 years ago
It's not so clear to me how this is advantageous for an attacker.
Thank you @rafbel for pointing it out. Actually it is a bug that I forgot the check the boundary of the initial account. I think I will get a deduction in the build phase for correctness, but basically it is not the injected vulnerability.
I agree, gonna close the issue.
This is an input validation vulnerability, where there is an error in one of the validation procedures for the balance field.
In order to exploit this vulnerability, I first created an account with a negative balance and got the following error message back:
Then I created an account with an initial value higher than the maximum allowed amount, and was able to create a user with that balance as shown below:
When I log in, this is my account page: