This is my first 4 digit bounty in $$$$ and was really excited when I discovered a simple yet critical vulnerability in one of the private programme.
This attack is very similar to https://thehackernews.com/2016/03/hack-facebook-account.html only difference is that the attack was on the login functionality itself .
Login mechanism: Enter the mobile no , user receives an otp . Enter the otp and login into the webapplication.
Flaw was that rate limiting was not on place and thus gave an attacker endless opportunities to brute force a 6-digit code and login into any account.
Response for Valid OTP
Response for Invalid Otp
So , now we had two different responses for a valid and an invalid otp that were processed during the authentication process.
I curiously validated in intruder if rate limiting was present or not and if it can be bypassed — just following the bug hunting strategy (doubt on everything that is in front of you).
And NO RATE LIMITING even after 50 wrong attempts :)
I could have exploited it in intruder , but because most of the programme handlers are not expert in information security and may/may not have idea of BurpSuite/Intruder — I decided to write up an exploit (which I always love to present things to give the enduser a fair idea on the other side that how in real world it can be exploited)
Exploit Code(This was something similar-with few omitted part)
Fire up the exploit and bruteforce OTP.
Note: Images are just for demo purpose and very much identical to the actual one , I can’t share the original poc exploit or screenshots.
And voilla, after certain hundred iterations we were able to login into the app. I have hidden the cookie part from exploit code which actually was finally replaced in browser using cookie editor EditThisCookie — https://github.com/ETCExtensions/Edit-This-Cookie and account takeover was completed.
I quickly created the POC , sent it and was triaged within hours and fixed in a day!
This was my highest bounty and has boosted my morale to explore this beautiful world of bug hunting.