Bypass of Username Policy: Breaking the Rules with a Simple Trick

Late one evening, I decided to dive into some bug hunting for a quick session. I noticed the application had strict username rules during registration—special characters like @@ or ... or numeric-only usernames like 123 were not allowed. Also, I can't change my username after signing up. It seemed solid.

Process

I registered normally and went to my profile settings. However, the option to change my username was disabled.

I didn’t stop there. I decided to change my bio and intercepted the request using Burp Suite.

While reviewing the request, I spotted that I could add a parameter that doesn't exist that allowed me to modify my username.

After I added the parameter, I sent the request again, and it just worked!!

My profile was updated successfully.

ME: Sending the bug. Triage Team: Waiting for duplicate me.

Result