How I got a Widget-Dev access of site because of improper authorization

Hi everyone

Today i would like to talk about one of my interesting finding in which i was able to bypass Dev admin panel because of improper authorization so lets come into the main point

Lets assume the target as Boom.com {During subdomain enumeration i found one of their subdomain in which they were managed widgets setting and etc.

Now the game starts here -

1. So there is Mobile number login mechanism for admin to get into admin panel
2. I entered my number and Waiting for otp nothing got !!
3. Then I think why not intercept that request and check the response what i got 400 badrequest and invalid otp
4. Here the game changed I change response code to 200 OK and removed the invalid response body

Woahh!! redirected to dashboard and i able to do whatever i want

Check this blog for difference between authentication and authorization HERE

I hope you enjoyed this Thank you so much for your time

Have a great bounty life!

Connect with me on twitter @aadesh_namdevv {https://twitter.com/aadesh_namdevv}