.png)
3 years ago
153 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi everyone
Today i would like to talk about one of my interesting finding in which i was able to bypass Dev admin panel because of improper authorization so lets come into the main point
Lets assume the target as Boom.com {During subdomain enumeration i found one of their subdomain in which they were managed widgets setting and etc.
Now the game starts here -
So there is Mobile number login mechanism for admin to get into admin panelI entered by number and Waiting for otp nothing got !!Then I think why not intercept that request and check the response what i got 400 badrequest and invalid otpHere the game changed I change response code to 200 OK and removed the invalid response bodyWoahh!! redirected to dashboard and i able to do whatever i want
Check this blog for difference between authentication and authorization HERE
I hope you enjoyed this Thank you so much for your time
Have a great bounty life!
Connect with me on twitter @aadesh_namdevv {https://twitter.com/aadesh_namdevv}
Bengali (Bangladesh) · 
English (United States) ·