Another Way To Bypass OTP Schema weak Signup flow Takeover Existing User account !

Greeting Everyone ! Today In this Blog we will discuss About Another way to OTP bypass How we Able to Bypass  OTP Schema of Our Targeted Website .  As OTP is extra protection of security if it can be compromise it cause to ATO account takeover of any User .

As we Have already See In Our Privious blog How response manipulate cause to Bypass OTP schema As We recently encountered how Business Logic and Weak Signup flow allow us to Takeover existing user account  .

Description Of finding:

On Our Testing Period We come to know xyz.target.com which has signup functionality and As victim already signup with his Credentials  and Victim now able to access his account After I come to know it has weak functionality where an attacker can also Signup with Same Credentials After it will ask for OTP which was sent to Victim Phone and Attacker can Bypass OTP schema and get Victim existing account .

Walk through :
  1. Signup As Victim On xyz.domain.com  It ask to enter Your Phone , email After Successfully Signup It send OTP On registered Phone which we can validate signup process and get into Victim account .

We have already Validate OTP As Victim And successfully victim get into his account.

Don’t Be confused We are going to bypass OTP Now ! Wait And have a drink first ->

  1. Now As Attacker again Signup on xyz.domain.com As Same credentials as Victim Such as victim email and phone .

And It got Success Signup without any error And Again OTP was sent  to Victim .

Now enter random OTP and capture Request using burp and do Response for this Host

Request:

  • PUT /api/v2/users/activate HTTP/1.1
  • Host: xyz.domain.com
  • X-Forwarded-Host: 127.0.0.1
  • User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  • Accept: application/json
  • Accept-Language: en-US,en;q=0.5
  • Accept-Encoding: gzip, deflate
  • Content-Type: application/json
  • Content-Length: 76
  • Connection: close
  • {“country_code”:”MY”,”username”:”[email protected]”,”token”:”534822″}

As Response For Request :

  • HTTP/1.1 422 Unprocessable Entity
  • Date: Fri, 09 Apr 2021 10:08:12 GMT
  • Content-Type: application/json; charset=utf-8
  • Content-Length: 81
  • {“code”:40001,”message”:”You’re unauthorized to access this resource.”,”meta”:{}}

As Above We See Response as error So OTP Was not able to validate as we have entered random OTP Now ,

Now as above Change Response 422 to 200 Ok and change body value

 {“data”:{“member_type_code”:”INV”},”message”:”Success”}

And successfully done bypass OTP confirmation .

4. Now attacker can access page which is victim access in Step 1 so as bad actor can easily takeover victim account .

This is all about Our Another OTP Bypass Blog that we recently encountered .

Mitigation Against Risk :

Make proper validation of if user is exist on your platform don’t allow to signup again with same credentials .

Make proper validation of response In both side client or server side.

CONCLUSION: As we see How weak Signup flow and response manipulate allow Attacker to takeover Any user Account .  I hope You enjoyed And learn Something New !

Thanks For Reading……. See You In Another Blog!

Stick With Our Blog : https://securiumsolutions.com/blog/

Author : Pallab Jyoti Borah | VAPT Analyst

Leave a Comment

Your email address will not be published. Required fields are marked *