Simple Authentication Bypass By Response Manipulation.

Hello team , this is praveenarsh a security Researcher and a bug hunter , follow on Instagram @cybersec_praveenarsh. I found a pretty OTP bypass lead to authentication bypass. hope this blog will give some knowledge , lets start. Buy me coffee if you like my blogs ….

Buy me Coffee: https://buymeacoffee.com/praveenarsh0xx0

Introduction:

Let s take my target as target.com ,Firstly started with the main domain , because its look like something suspicious to me cause they even don’t use cloudflare. :)

Recon:

In my target there is option to create a account with the email address, but i noticed that there is a no email verification for creating but this happy no longer , after a created we have to verify the mail via the mobile number using OTP.

I know what bug hunters thinks if the domain have the OTP verification, yes I gonna to bypass verification. I entered the mobile number and captured in burp , so just analyzed that ,is there any OTP leak in request , but got nothing ,at response also .After that ,received the OTP in my mobile (4 digits number), entered the wrong OTP and seen what happened it will show the “422 unprocessable entry “ which is similar to forbidden.OK , its time to modify , so changed the response code as 200 and Erased the the error messages.HTTP/2 200 OK
Date: Sat, 03 Aug 2024 17:50:35 GMT
Content-Type: application/json
Content-Length: 67
X-Frame-Options: DENY
Vary: Cookie
Set-Cookie: im_logged_in=68f8f5b925544fac81db0f9b9dcc0067; Domain=XXXX.com; expires=Sun, 03 Aug 2025 17:50:35 GMT; HttpOnly; Max-Age=31536000; Path=/; Secure
Set-Cookie: csrftoken=N27F2AVFpdkJYwLKgl8xlwtq1LyaeudKcploTw9C3829vKbVcJhJ8N3xYzgVca7q; expires=Sat, 02 Aug 2025 17:50:35 GMT; Max-Age=31449600; Path=/; Secure
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
P3p: CP="XXXX.com does not have a P3P policy"
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Cf-Ray: 8ad8269d6aae7fa9-MAA
Alt-Svc: h3=":443"; ma=86400

Attempts:

Again nothing will happen , it says invalid OTP. Again put 200 ok and there is a error keyword like {“error”: 1, “message”: “This OTP is not valid . Please try again.”},what if change the (“error”:0) and cleared the messages. my bad again got nothing , so my mind thinking twice what “browser expect from the server” . OK lets try lastAgain enter the wrong OTP intercept and response for that code , this time i changed the 200 OK , “error=0” and in the response like , {“error”: 0, “message”: “This OTP is valid. ”}After that I’ll redirected to my dashboard without any restrictions.

I found that the web browser analyze the content of the response like, in “messages”

Reported:

After report they accepted the bug and responded after a week and they assigned a good swag for me.

Thanks for Reading ,and hope you guys my blogs will help you.