Functionality Bypass — IDOR

Hello readers, so today I’m gonna talk about how the weaker implementation of an OTP functionality in an application allows me to access the critical customer data, download the KYC details uploaded by the customer, and make a false payment on behalf of a legitimate customer. Let the hunt begin.

During a recent pentest, I stumbled upon a policy tracking application that had a flawed OTP verification process and accepts any arbitrary OTP values. A malicious actor with the knowledge of the customer’s mobile number and DOB (which was found hardcoded within the publicly available assets files) can access sensitive customer information such as account balance, recent transactions, and perform actions like Blocking cards, setting a PIN, etc.

As shown in the Figure below, the sensitive details such as policy number, mobile no., etc. were found to be hardcoded within the publicly available assets files.

hardcoded sensitive data

Other sensitive details such as name, address, etc were identified to be hardcoded as shown in the Figure below;

hardcoded sensitive data

So Let’s try to log into the application with the available data

trying to log in with the available details

The application verifies the user details (as provided in the above screen) and sends an OTP (One Time Password) on the registered user’s mobile number and presents an OTP verification screen. Enter any arbitrary value in the OTP and submit the form.

enter arbitrary OTP value and submit

As shown in the Figure below, the application accepts any entered arbitrary OTP value.

the application accepts any arbitrary OTP value

The application further displays the list of the policy details, allows to make a payment, gain unauthorized access to sensitive details, downloads the KYC details uploaded by the customer, etc. as shown in the Figure below

unauthorized access to sensitive customer data

Further, I gained unauthorized access to arbitrary customer’s policy details as shown in the Figures below;

unauthorized access to arbitrary customer’s policy detailunauthorized access to arbitrary customer’s policy detail

Furthermore, I was able to gain unauthorized access to the sensitive information uploaded by the authenticate customer. Also, I was able to download the KYC details uploaded by the customers as shown in the Figures below;

unauthorized access to sensitive KYC details of customersunauthorized access to sensitive KYC details of customers

Further, due to some limitations in the testing, I was unable to make out a false payment on behalf of the legitimate customer as shown in the Figure below.

make a false payment on behalf of a legitimate customer

After getting a redirection to the payment gateway, the application stops responding, and throws a blank screen as shown in the Figures below;

redirecting to payment gatewayerror while retrieving the info from the application

Further Scenarios:

1. Make unauthorized payments on behalf of the valid customer

2. Bypass the payment and make a successful transaction with the low amount to that of the actual amount

Thank you All for making out the time and reading this article.

Stay Tuned for another interesting attack!!

You can connect with me @https://github.com/InfoSecAntara