Account Takeover By OTP Bypass
Hello, my cyber mates Welcome to my blog. Without wasting time let me share how I am able to do an account takeover by doing OTP Bypass.
I will explain a little bit about my methodology I found the target to hunt. first I analyzed the site like a normal user by creating an account.
As usual, I always create 2 accounts with 2 different users.
Let’s start
So As usual, I was looking for an account takeover. I created two accounts and click on forget the password, after that, I checked my mail there I got the code that time 2 methodology running in my mind mainly.
1. Response manipulation
2. OTP bypass by no rate limit
First I tried response manipulation I entered the wrong OTP, I captured the request in the burp suite, and I saw the response, it was status code 400 bad request then I changed the response to 200 OK and success but bad luck not bypassed. I was like ok let's move to the second methodology of OTP bypass by no rate limit.
Then I decided to brute force the OTP because it was 4 Digit code we can do it in a short time, so I requested for new OTP without seeing OTP I entered one random OTP and Captured the request in burp and I sent it to the intruder, there I added the number payload 0000 to 8888 and started the attack.
You can see the status code 200 here I bypassed the OTP successfully. Using this bug I can hack any user without user interaction.
Let me give the exact step which I write in the report.
steps to reproduce
1. Go to https://www.xyz.com.
2. Go for the password reset option.
3. Enter the victim's mail id.
4. Enter a random 4-digit OTP.
5. Capture the request in burp and send it to an intruder.
6. Create the payload of 4 digit number and start the attack.
7. You can see the changes in the length and status code 200 OK.
8. Enter the correct OTP and change the password of the victim's account.
BOOM. Thank you for reading it guys always be creative.
add on There is one more methodology to bypass the method called Bruteforce & SMS Forwarding most of the time it did not work for me.