Account Takeover via Response Manipulation
Hello everyone I am Abhishek pal here with my First blog ,In this blog I am going to give details about an easy P1 bug I encountered while hunting.
So let’s proceed to the exploitation part now.
Let’s consider our target as Redacted.com.
“Because it’s a private invitation /program“
It had so many features including ability to create groups add Users, and so many other features, and I love to test website with ability to create groups as it opens a big window for vulnerabilities .
So initially I tested for bugs like HTML , XSS, CSRF, IDOR everything , didn’t find much success sadly. Later I noticed they have a 2fa function .With 2fa user is able to login and reset his password also.
So, I think I perform an Response Manipulation attack.
First I go to login page and Enter my credentials which redirect me to 2FA page. I insert an random OTP and With the help of burp suite and capture the request on the burp suite.
Right click on the request and Send request to the response, Response Like
I just change the response “error”:false to “error”:true.
This lead to bypass the 2fa . Now i know that it is any valid issue and i reported instantly. After i report it then i memorized that the forget password functionality is also on OTP.
I click on Logout and click on the forget password feature. Enter the email id and it Gave me a option that from which you want to reset you password like 2FA Code, Email OTP , Phone Number OTP.
I choose the 2FA code and Again it redirect me to the OTP page, Insert an random OTP 000000 and capture the request with the help of Burp suite .
Right click on the request and send the request to the response .
In response again I changed the error [ false to true ] and Website redirect me to the new password page. I changed the password.
I got excited again as I got a feeling that here that Authentication Bypass could work, I immediately entered the victim email and repeated all steps and guess what i was able to change password of anyone without any interaction at all within seconds by just a simple manipulation in response
I reported 2FA bypass in P3 severity and Authentication Bypass in P1 severity. Both vulnerability Got Accepted and rewarded.
Timeline:
Bug Reported: 7 May 2022
Bug Triaged: 7 May 2022
Bounty Rewarded: $2500Tip: Always Understand The workflow of website, Make it very Simple
