SaaSHub module: registration form now protected by hCaptcha (silent 422)

[sturq]

The saashub module always falls through to its Unexpected response body structure branch. Root cause: the register form at saashub.com/register is now behind hCaptcha. POSTing without a captcha token returns HTTP 422 with the same register page re-rendered, no flash, no field-level error, just the form again with our email echoed back.

Quick instrumented check:

GET 200
token found: True
POST 422 len 58205
  'has already been taken': 0
  "couldn't sign you up": 0
  contains 'hcaptcha': True
  our email echoed back: True

The Accept-Encoding: gzip, deflate, br, zstd header on this module is a separate problem (#338 covers that), but even with response decoding fixed, the form is captcha-gated so there's no signal to read.

Options:

1. Remove the module.
2. Find another SaaSHub endpoint that exposes email existence without a captcha. I didn't find one but didn't exhaustively map the site.
3. Loud-mode reimplementation against a password-reset flow if one exists.

Tested on user-scanner 1.3.6.4, Python 3.13.13, Termux.

[kaifcodec]

@sturq You are correct, it looks like they changed the registration flow and it is now protected behind CAPTCHA verification.

If you’d like to contribute further, you can manually test the site in your browser and inspect whether the forgot-password endpoint is also CAPTCHA-gated or if it returns a generic response such as “If the email exists, we have sent a password reset link.”

If that’s the case, report it here and we can safely move the module to the abandoned directory.

[sturq]

Tested the forgot-password flow. Lives at /login-email, not captcha-gated, plain Rails form with authenticity_token and an email field.

Submitted with two clearly-fake addresses (totally-fake-9q8w@example.com and one with a .invalid TLD so no real inbox could be hit). Both got the exact same HTTP 200 response:

<div class="notice ... notice--success">
  ...
  We have sent an email with a log-in link to <b>{whatever-was-submitted}</b>.
</div>

Identical message, same notice--success class, no field-level error, no notice--alert, nothing that distinguishes "we sent because you exist" from "we ignored you because you don't". So it's the privacy-preserving generic flow, no OSINT signal available.

Module is unsalvageable as far as I can see, agreed on moving it to the abandoned directory. Happy to put up a PR doing that move if useful.

[kaifcodec]

@sturq Thank for the information and really appreciate your efforts.
I will take a look on this myself once again, then let you know.
Till then you can add new site support that aren't already there in our tool.

[kaifcodec]

@sturq I tested it myself, and it’s true that they have now added hCaptcha protection to the /register endpoint and switched the forgot-password flow to a generic response message.

Because of that, we should move saashub.py into an abandoned/email_scan/dev/ directory at the root of the user-scanner/ project.

You can open a PR for that change now.