Response manipulation to Account takeover
Hello everyone I am back again with another blog ,in this blog i will going to tell about an easy P1 bug I encountered while hunting
Before proceeding to the reproduction phase ,we need to know a little about Authentication Bypass
So What is Auth Bypass?
Authentication Bypass is a dangerous vulnerability which is found in Web-Applications. Attackers can bypass the control mechanisms which are used by the underlying web application like OTP, Captcha, 2FA, Email verification etc.
An Attacker can perform a complete Account takeover of Victim.
So let’s proceed to the thing now
Let’s consider our target as AnonY0gi.com
It’s an ecommerce site ,so I tried to find logic flaws in payments and carts ,csrf ,xss , host header ,but didn’t get any success .One thing our target AnonY0gi.com’s Hall Of fame is a large list ,and it’s also a very old program. Hmm so things will not be easy
Ok one of the feature the site is we can login through OTP ,and also in password reset we need the right OTP to change password, so i immediately tried to bypass the OTP in login but didn’t get result
Ok now i went to Forgot password and typed my email and sent password reset OTP
Back in mailbox we get the OTP ,and after typing the write OTP I intercepted the response to that request ,and i got something interesting in the json code
The json data is like this in response
Next i typed wrong OTP ,and also intercepted the response to this request
The json data looks like this now
Ok so what if I changed all this to the correct json data of previous one
I changed the status from fail to success added user_id and redirection url ,and Forward the response
And YES i am able to change the password of that user ,and we successfully bypassed OTP
OK you must be thinking but how will i get the victim user_id right? that is unknown to us ,
Fortunately I was able to bypass ratelimiting in the site ,and hence by bruteforcing we can get the right user_id
Yes I did try for IDOR by replacing the user_id with a diff account id ? Yes i did that ,but no success
Anyway I was very happy after i find such a logic flaw in the application ,I immediately reported the bug to the security team
2 days later i got this
And my heartbroke since it was my first P1 and it turned out to be a duplicate.
Anyway if you like the blog and if it is helpful for you ,like my post and follow me on twitter https://twitter.com/AnonY0gi
Good Night, Shabba Khair Kailash kher . Wish you a happy married life