Authentication Bypass Using Response Manipulation
Disclaimer: Techniques mentioned here are collected from the internet. All credit goes to the respective persons.
Hi guys, This is my first article about Bug Bounty and I hope you will like it. I’m literally a beginner in Bug Bounty and it’s possible that you see some mistakes in this article. Feel free to comment or tweet me ! Sharing is caring!
What is Broken Authentication?
If the login functionality of your application can be Modified or bypassed in some way, this is referred to as broken authentication. This is such a common issue that broken authentication is an entry in the Open Web Application Security Project (OWASP) top ten web application vulnerabilities list.
The things that lead to the breaking or trying to bypass authentication mechanisms range from simple to highly technical.However, with good practice and incorporating safety thinking into your design processes, these vulnerabilities are preventable.
Types of broken authentication
There are many ways authentication can be bypassed.
- Response manipulation
- Bruteforce
- Session Flaw
- No Rate-limting
This website has the functionalities to unite the people around the world so I started with creating an account to dig more the target. As always i was intercepting every request of the target. After creating an account I was wandering about the functionalities of the application. Usually, I’m pretty much interested in finding IDOR so I decided to take a note of the endpoints I have Intercepted.
I get back to the Registration Process of the application to find out If any ID parameter going on the request but unfortunately I didn’t find something. At the end of the registration process, the application was asking to verify the user sending a one time password(OTP). The application was sending a Four-digit OTP to the registered mobile number.
First I try to Brute Force the OTP but unfortunately, the application was blocking the user IP due to rate-limiting When I was checking the responses from the server which I got during brute-forcing
And for the Right OTP, It was showing
Then a thing Clicked into my mind “What If I Manipulate the Response I’m getting from the Server “. I again entered a random OTP “0000” and intercepted the response by sending the request. On the Response body, I replaced the message {“Errors”: “yes”, “Reason”: “Invalid OTP.”} with {“Errors”: “No”} and I got account Successfully verified!!!!
So Finally I was able to bypass the OTP verification process of the application.
Special Thanks to Pankaj verma
