this is my first writeup so i am waiting for any feedback, Don't waste more time let's get started

About the Target

lets call the website is example.com The website is a service marketplace that allows users to request home-related services and receive offers from different providers. It includes features such as user accounts, request submission, and communication between clients and service providers. imagine you want to paint your room so you will make request in the example.com and enter all details after that you will receive offers from workers

About the Finding

To test the behavior of the application, I created two accounts: one as an attacker (hacker@0x3oomda.com) and another as a victim (victim@0x3omda.com).

While using the attacker account, I proceeded to create a normal service request. In the final step, the application displays a review page where the user's details are shown before submitting the request. At this stage, I noticed that the email field was disabled on the frontend.

And This is the request

but this raised the question in my mind why email field is disable in front end but i show the email parameter in the request & what happen if i change the email to another email , is the restriction still working ??!

To verify this, I send the request to repeater and modified the email parameter from hacker@0x3oomda.com to victim@gmail.com, then forwarded the request.

The server responded with 200 OK, indicating that the request was accepted.

After logging into the victim account, I observed that the request had been successfully submitted under the victim's email, confirming that the application does not properly validate or restrict this parameter on the backend.

Tip: Don't Trust in The Restriction in Front-End Always Test to see what will say The Back-End

At The End Thanks God I got my first bounty

Thanks for reading!

I appreciate your time and feedback. Apologies for any language mistakes.

Happy hacking 🔥