OTP bypass via response manipulation
Hello everyone I’m Jan Jeffrie Salloman, I started bug hunting 1 year ago. This writeup is about an OTP bypass using response manipulation. Again, I want to say sorry about my grammar lol, just correct me if I have mistakes. I hope you will learn from this writeup.
Since the target is private, I will not disclose their website. I will also provide images for you to understand my explanation. Just like a normal website, the target has login and signup forms. When I test a target, I have a habit where I always manipulate response, If it shows 4XX 5XX codes, I’m always changing it to 200 OK and see if it bypasses the error. This bypass occurred in OTP during signup.
This is the signup page, as you can see there is step 1 of 4 in the top, you cannot go to step 2 without putting the correct OTP.
Lets try to put random numbers on the OTP.
When I put wrong OTP, this error shows.
As I said a while ago, I have a habit where I always manipulate response. So what if I manipulate the response from the error above?
This is the response from wrong OTP, it shows 422 Unprocessable Entity. This is where we put the 200 OK, change the 422 Unprocessable Entity to 200 OK and see if it bypasses the OTP(other responses will show 5XX status codes).
This is how you change the 422 Unprocessable Entity status code to 200 OK.
And there you go, we are on step 2 of 4 by changing the status code. The OTP is bypassed successfully.
Sadly this report is duplicate but its OK. If you have any questions just comment below.
Tip: Always try to intercept and manipulate response, sometimes response shows the OTP(I’ve already experienced it :D).