.png)
7 months ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi
Today I will tell you how I was able to find account takeover due to no rate limit on OTP
I was finding a target to start a bug hunting so I found a target which as scope as signup page and login page
I started with creating a account on it and then I notice that the target send an otp to user mail for account confirm but when I try to copy and see the url send for account confirmation is look like this
https://redacted.com/out/register/codeverify?email=jeetpal2007@gmail.com&code=418690I notice that the code in urls is same as send to my mail and also my emails it inbuilt so from there I notice that the account where I have to put otp doesn’t have recaptcha to fill so I can easily bruteforce the otp
OTP is 6 digit so I used use burp suite intruder and send request request each request was 401 unauthorized but the one is 200 OK the right otp is and I enter it and able to get access without the link this can attack in this scenario if you have victim email you can create account using victim mail
Way 2I notice same with reset password so I more happy and try this again and when I try to reset password the link for it and it was also same as last so I can re bruteforce it
https://app.redacted.com/out/resetpass/change?email=jeet_pal@mail.com&code=494866and yay I was able to takeover any account
Thank you !!
Hope you understand
Bengali (Bangladesh) · 
English (United States) ·