OTP Bypass Through Response Manipulation

OTP Bypass Through Response Manipulation

AGNIHACKERS's photo
AGNIHACKERS
·

3 min read

Hello everyone,

This is my first report. I am sure everyone will be aware of the first P1 vulnerability which is the most invisible of all(the strike of duplicates and not applicable).

This Report is all about a beginner who gets a lot of Duplicates, Not Applicate, and many of Rejected and after a Triged with my first P1.

Every Dog has a Day and wait for the Day !!!

ezgif.com-gif-maker.gif

Let’s dig in!

This is my first medium report and if there are any corruptions please Ignore it and continue reading…

DESCRIPTION:

First of all, let’s assume the Website is www.target.com and this is the Simplest Bug (Vulnerability) that I found. When I created an account in www.target.com i received an OTP in my phone number for verifying the OTP message. When I entered the correct OTP and checked the Response to this Request. Response code is very simple HTTP/1.1 200 and “success” then I think let’s bypass OTP Verification.

let’s try to Bypass the OTP on the Login page.

The Login page had a Login with phone number method, which allows me to enter my Phone number.

1.png

So, I decided to brute force the OTP by using the Burp intruder tab. But Unfortunately, there was a Rate limit protection. Now, I entered the Random 6-digit OTP code.

2.png

Then, I Captured the Request into Burpsuite.

3.jpeg

Now, I right-clicked on the Request and click on Action>Do intercept>Response to this request .

4.jpeg

By using the Do Intercept response I started analyzing the response.

5.png

Then, I changed the “error” message into “success” message

6.png

And then, I forwarded the request

7.png

BOOM !!!

ezgif.com-gif-maker(1).gif

I was able to Login account with my friend’s mobile number even without Valid OTP, which makes a clear view that I can able to create an account with any mobile number without verifying the OTP.

Lesson Learnt!

Researchers always try to brute force the OTP field but they forget to analyze the response sent to the browser. Play with the response manipulation sometimes server fails to fetch the response …

POC VIDEO:

https://youtu.be/wOd6vEmKAu8

Timeline:

  • September 2, 2020 — Reported.
  • September 3, 2020 — Triaged.
  • September 15th,2020 — Issue Fixed

Well if you love this writeup drop a clap 👏(50X), let’s connect then:

Twitter: https://twitter.com/AGNIHACKERS1

LinkedIn: https://www.linkedin.com/in/mahin-vm/

Email: agnihackers123@gmail.com

Disclaimer The Blog Content has been made available for informational and educational purposes only.

I hereby disclaim any and all liability to any party for any direct, indirect, implied, punitive, special, incidental, or other consequential damages arising directly or indirectly from any use of the Blog Content is solely the responsible by the readers.

Peace ✌️ !!!

bugbountybugcrowdinfos3chackingBugs and Errors