OTP Bypass through Session Manipulation

To understand how the server crafts session cookies, I used a valid OTP code during testing. Here’s how the process unfolded:

After entering valid credentials and a valid OTP code, I observed the server’s response. The response included a session cookie crafted using PIDM and WEBID values from the POST request. For example:

valid OTP code in “VerC”

The server’s response was:

Decoding this Base64 encoded cookie (QlZOWEY3MTIzNDcyNA==) revealed:

This confirmed that the PIDM and WEBID were used to create the session cookie.

With this knowledge, it was clear that by crafting a session cookie using PIDM and WEBID, an attacker could bypass the OTP. Here’s how:

Even if an invalid OTP code is used, the attacker can craft a session cookie manually by combining PIDM and WEBID, encoding them using Base64, and manipulating the response to include this session cookie. This bypasses the need for a valid OTP.

Here’s the crafted session cookie process:

The crafted cookie can be used to manipulate the server response.

After entering a valid OTP code, I noticed the server response contained:

Here are the detailed steps to exploit the vulnerability:

Enter valid credentials on the login page to be redirected to the OTP page.

Enter a random number in the OTP input field and capture the POST request:

Random number in VerC

Combine PIDM and WEBID values:

Use this Base64 encoded string as the session cookie.

Intercept the server’s response and modify it to include the crafted session cookie:

When you send the Post request, intercept the response and add the cookie you craft

The manipulated response, containing the crafted session cookie, will redirect you to the dashboard, effectively bypassing the OTP verification.