OTP BYPASS THROUGH RESPONSE MANIPULATION
Hello everyone,
This is my first report.I’am sure everyone will be aware of the first P1 vulnerability which is the most invisible of all(the strike of duplicates and not applicable).
This Report is all about a beginner who gets a lot of Duplicate,Not Applicate and many of Rejected and after a Triged with my first P1.
Every Dog has a Day and wait for the Day !!!
Let’s dig in!
This is my first medium report and if there is any corruptions please Ignore it and continue reading…
DESCRIPTION:-
First of all let’s assume Website is www.target.com and this is the Simplest Bug (Vulnerability) that i found . When i created an account in www.target.com i received an OTP in my phone number for verifying OTP message . When i entered the correct OTP and checking the Response to this Request. Response code is very simple HTTP/1.1 200 and “success” then i think let’s bypass OTP Verification.
let’s try to Bypass the OTP on Login page.
The Login page had a Login with phone number method, which allows me enter my Phone number .
I decided to brute force the OTP by using the Burp intruder tab. But Unfortunately there was a Rate limit protection . Now Enter the Random 6 digit OTP .
Then Capture the Request into Burpsuite.
Now right click on the Request and click on Action>Do intercept>Response to this request .
By using Do Intercept response I started analyzing the response .
Then change the “error” message to “success” message
Then forward the request
BOOM !!!
I was able to Login account with my friend’s mobile number even without Valid OTP, which makes a clear view that I can able to create an account with any mobile number without verifying the OTP.
Lesson Learnt !
Researchers always try to bruteforce the OTP field but they forget to analyze the response sent to the browser. Play with the response manipulation sometimes server fail to fetch the response …
POC VIDEO :-
Timeline:
September 2, 2020 — Reported.
September 3, 2020 — Triaged.
September 15th,2020 — Issue Fixed
Well if you love this writeup drop a clap 👏(50X), let’s connect then:
Twitter: https://twitter.com/AGNIHACKERS1
LinkedIn: https://www.linkedin.com/in/mahin-vm/
Email: agnihackers123@gmail.com
Disclaimer
The Blog Content has been made available for informational and educational purposes only.
I hereby disclaims any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of the Blog Content is solely responsible by the readers.
Peace ✌️ !!!