.png)
5 months ago
30 BOOK THIS SPACE FOR AD
ARTICLE ADyoooo what up guys, it’s been a while
it is ahmed again and today I would like to share with about a critical bug i found on an external bug bounty program ( yeah i know ). so, So let’s get started! 😉
The target? Let’s just call it www.target.com (i don’t wanna go to jail ) a university site. so after collecting the subdomins with tools like Subfinder, Assetfinder, Sublist3r, and Subdomainfinder and filter them using httpx -sc -cl -title well i found this subdomin https://webpages.target.com it had some articles and events info, but what really got my attention was the signup feature.
I quickly signed up and got hit with an OTP in my email for verification. After writing in the right OTP and checking the response, it was a simple “HTTP/1.1 200" with a “success” and every login required a differnt OTP that well be sent to my email so well i said it’s too hard switching between apps to get the OTP. so, I thought, why not try to bypass this?
next time I logged in, it asked for that OTP from my email (ugh, seriously?) so i tryed to brute force the OTP but it was an rate limit
o i enterd a 6 random numbers and Captured the Request into Burpsuite.
and then right-click on the response > Do intercept > Response to this request
Now we have the response in the proxy page so we can modify it, and that was the response:
well what caught my eye was that after entering an incorrect OTP, instead of an error message, I got a casual HTTP/1.1 200 OK with “error” at the last line. I suspected the developer might be relying just on this message for OTP verification.
And guess what? (Seriously, where do they find these developers who get paid for this?) I changed “error” to “success”, and hell yeah, it wroked!
BOOM !!!
I logged into the account using my friend’s email without needing a valid OTP. It just goes to show, you can create an account with any email without bothering with OTP verification.
While researchers are busy brute-forcing OTP field but they forget to analyze the response sent to the browser. Play with the response manipulation sometimes server fail to fetch the response …
you can follow me on social media to see more Write-Ups
Bengali (Bangladesh) · 
English (United States) ·