P1 Vulnerability: How I chained Logical-Error to Account-Takeover Vulnerability 😈🧑‍💻that No-One said you before😁

* Introduction *

Hello Hackers, This is Gowtham, An Ethical Hacker and Penetration Tester from India who loves to find loopholes😁. I gave a huge gap for my 2nd blog due to many factors! and I sincerely apologize to everyone. So today, I gonna tell you, How I was able to get Account-Takeover Vulnerability by using Logical-Error in the Web Application Itself. I haven’t reported the bug till now, So for some reason, I don’t want to disclose the name of the site, and let’s refer to it as “Example.com”. Let’s start our learning🔥

When Logic fails, Attacker will succeed :

Although the site is not having many functionalities, The first thing I always look up is “Login Bypass” Vulnerabilities. So I started with Reset-Password Functionality, Where the Request looks like this👇

Request from Forgot-Password

And the response is :

Response to the above request

Everything will be fine Until We change the Parameter “status”: “fail”. Even on Changing the parameter, It sends the OTP to the Registered Mobile Number but this allows us to BruteForce the OTP[No-Rate-Limit Vulnerability].

“Logical Error leads to No-Rate-Limit”

How I managed to Bypass OTP which works for only 1 time😈

After Modifying the Value, The User will get an OTP[It actually informs the user]to his/her Mobile Number. So I entered some Random OTP so that I can brute-force for the Correct OTP.

Response for the Random-OTP Entered.

You may think that you can change the value to “status”: “success” to bypass the OTP, But It won’t work because the validation is being done on Server Side. Now the only option I had is to BruteForce for the OTP and I did it.

• The Correct OTP gives you a length of 575, whereas all other OTP’s give you the length of 574.

Response for Correct OTP

After getting the OTP, I immediately modified the value and Entered the Correct OTP in my previous Request.

Request with Correct OTP

Now you can see that still, we get “status”: “error” because as I said, It’s checking on both ends, Server Side as well as on Client Side.

• Our Code is already validated during the Process of Brute-Forcing, So now as you anticipated we can just change the value to “success” to bypass this OTP on Client-Side.

I changed the value to Success and It bypassed the OTP Verification.

Now I can change the Password for Any User!!😁 and I can log in into any User-Account aka [Account-Takeover Vulnerability]

Can able to Change Password for Any User.

Leaks some Crucial Data like Address, PhoneNumber, Name along with some bank Details.

Ending Note 😣

I apologize to every single person who felt that this blog is like a Walkthrough/Report. I tried to explain everything in detail and that’s the reason behind pasting all those screenshots. I promise you that I will write at least 1 Blog per week😅. Let’s Learn Together and Grow Together.

If you are facing any problems in your learning or having any doubts regarding my blogs, please feel free to Connect me 😁❤️

You Can Follow me on :

Twitter ❤️: https://www.twitter.com/gowtham_ponnana

Instagram❤️: https://www.instagram.com/gowtham_ponnana

Gmail❤️ : gowtham.official45@gmail.com

[Note]: I sincerely suggest people join our Discord Community to learn more about Cybersecurity Stuff.

Discord: https://discord.gg/gY35nHX7gu

Thanks and Regards,

GOWTHAM NAIDU PONNANA