MY First Bounty | Pre Account take Over via respon manipulation| Pre ATO
Hello everyone, today is a special day for me, i am very happy because this is the first time a got a bug and paid, so i want to share a little about this finding, ok just go ahead.
So my finding is otp bypass lead to acount take over via respon manipulation, that day i was confused because everyday i always get informative bug, even out of scope because i don’t read the information in the program guidelines hahaha 😅😅.
After after reading a lot of writeups, watching some poc on youtube, i finally found a website that intrested me, i finally hunted there, and it turned out that the website required otp verification via email and number phone, i also remembered the poc that i had watched, then i rushed to try it
Step to reproduce:
- In the target web app, i creat acoount using email normally, in the register respon section, there is a json succes respon then i save it.
`
{
“status”: “200”,
“succes”:”succes”,
“message”:”register succes”,
“email”:”[your email]”
}
- After that, i create new account dan pada bagian otp saya memasukan nomor otp secara acak.
- Before sending otp, first turn on burpsuite intercept, then click send the otp with random number earlier.
- In the otp request section, right-clik and do intercept, then forward
- Then in the response section, change the json error to json succes that we saver earlien in the step 1. then forward again
- And well, the account succesfully created and can do account registeration as usual
Usually pre account take over many do not accept it, but maybe this is a financial services company, and there is an otp that protects it, so they accept it.
thanks for reading.
Best regard: NERVHYM
