BOOK THIS SPACE FOR AD
ARTICLE ADبِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ
Hello everyone I am Yousef, I just started my journey of learning BugBounty, when I was studying for response manipulation technique to bypass authentication parameters like CAPTCHA and 2FA pages, I like to practice on real sites, so I found that the site I was practicing on (let's say it’s mysite[.]com), receiving a JSON response for most of Authentication pages inputs.
so when I saw the 2FA I first thought of trying Brute-forcing, as the site did not put a rate limit or max try for the 2FA page, But I found that the Site sends the request encrypted.
So I thought of OTP reuse (using the OTP code sent to the Attacker account for the Victim’s login), but it also didn’t work.
But I found something in the response body after entering the false OTP
That means the site makes the decision of letting the person in or not depending on the response from the OTP verification API.
That made me think like: If I could capture the body of the resonance for the correct OTP and then put it in the place of the wrong OTP response, it may work. but it didn’t :(
Now I am facing a little problem.
the response came with a token as a parameter in a field called “CallBackPage”: “mysite.com/login/landingpage?tk=<some token>”
the problem is that the token is a single use, after login with it the server destroys it.
now I need a fresh token to Bypass the 2FA page, so I created a new account let us say “Attacker” Then I enabled the 2FA for this account, logged in with it, the site sent me an OTP to my email, I entered it in the 2FA page then intercepted the response, copied the token from it then dropped the response so the server can’t destroy My token, now I have a fresh token.
I tried to log in to the victim’s account, entered a random number in the 2FA page then intercepted the response, and replaced it with the body of the valid response, but this time with a valid token.
And boom we Bypassed it.
Unfortunately, The Bug was Duplicated :(
but I had much fun fighting with this bug 😂.
Wish me found more Bugs cause I think that I started to fall in love with this work.