Removing request parameter to Bypass OTP verification

Hello everyone, This is my fifth blog regarding Bug hunting. If you want to read my previous four blogs regarding my findings click on the following link.

How I found another SQLi on the Government website in just 5 minutes

Three different types of SQL injection in one POST parameter

Account Takeover by OTP Bypass

Time-Based SQL Injection to Dumping the Database

Today, I am going to talk about OTP Verification Bypass that I found on E-commerce website. I started testing with technical vulnerabilities like XSS and SQL Injection but no Issues were found.

During the testing process, I have found five bugs.

• Weak Password Policy at Password Change
• No Rate Limit on forgot password leading to massive Email flooding
• Email Enumeration via Password Reset
• Mobile number Enumeration via User Signup
• Missing Sessions Invalidation after Password Reset

But these are not critical findings. Then I tried looking for Business Logic vulnerabilities and fortunately, the target was vulnerable to OTP Verification Bypass.

Bypass OTP verification in account registration process

1. Make a request to https://target.com/profiles-add/ and enter a username, mail, password, and mobile number (+910000000000) and click on Register.

2. Then enter a random 6 digit OTP (000000) and click on verify. Then capture the request in burp-suite.

3. Remove the result_ids parameter with value and forward it to the server.

4. Now profile created and mobile number verified without OTP

Impact

An attacker can able to create a profile with any mobile number also creates multiple profiles by using the same mobile number.

HOPE YOU LIKE IT : )

Twitter : https://twitter.com/srlsec_

Instagram: https://www.instagram.com/sarathlal_srl

Youtube: www.youtube.com/@srlsec