Account Takeover via login with OTP 🏆
Hello Guys, I am Suraj Bhosale from Maharashtra, India. It’s my first bug bounty write-up which allowed a malicious user to takeover any account on the target site. This bug was discovered on a private bug bounty programs so I’m not allowed to reveal the name.
Introduction
Most of ATO I found was actually a logical flaw which didn’t really require much technical skills. Basically, it was just thinking a little bit out of the box.
The Vulnerability
Let’s assume the vulnerable web-application was redacted.com
There were 2 ways for a user to login to the application, either with username and password or with a mobile number and otp received on that number.
I decided to test the otp functionality. If you are an experienced hacker you might know there are many ways to bypass otp. Here I will be discussing the simplest way to bypass OTP i.e by brute forcing the otp.
when login with mobile, I entered my number and submitted the request. I captured this request in burp suite and sent that to the intruder for brute forcing. I observed after 5 incorrect otp attempts, got an error otp has expired please generate a new otp. I generated the new otp, again after 5 attempts it gave me the same error. I followed this process multiple times and I was able to generate new otp ’n’ number of times.
By now your hacker mind should tell you what is the exact problem here? If you are not able to guess then lets proceed further with the exploitation.
The flaw here is, it has rate limitation when we enter the otp but it does not have rate limitation when we generate the new otp.
What the heck how can I make use of this?
Exploitation
As it was using 4-digit otp, it was very easy to brute-force.
Lets write a python exploit which will automate everything which we have discussed earlier.
In our exploit, I have hardcoded 5 random OTP’s i.e 1000, 1001, 1002, 1003 and 1004.
There are 10,000 possible combinations that the digits 0–9 can be arranged into to form a four-digit code. At some point of time, we will get the correct otp out of those 5 otp’s which we have hard-coded.
When we run the below script it will sent 2 POST requests i.e one to generate the otp and the other one to enter the otp 5 times. So until and unless our script hits the correct otp it will keep on executing the script.
I just need to know victims mobile number which I can use for exploitation using the below script.
Please Note: In above script, You will need to modify the header’s and POST body parameters according to your target.
You can follow me on Twitter https://twitter.com/c0nqu3ror or Linkedin https://www.linkedin.com/in/suraj-bhosale-876b2937/ where I share bugbounty related content. Till next time, happy hunting!
