P1 Vulnerability: How I chained Logical-Error to Account-Takeover Vulnerability 😈🧑💻that No-One said you before😁
* Introduction *
Hello Hackers, This is Gowtham, An Ethical Hacker and Penetration Tester from India who loves to find loopholes😁. I gave a huge gap for my 2nd blog due to many factors! and I sincerely apologize to everyone. So today, I gonna tell you, How I was able to get Account-Takeover Vulnerability by using Logical-Error in the Web Application Itself. I haven’t reported the bug till now, So for some reason, I don’t want to disclose the name of the site, and let’s refer to it as “Example.com”. Let’s start our learning🔥
When Logic fails, Attacker will succeed :
Although the site is not having many functionalities, The first thing I always look up is “Login Bypass” Vulnerabilities. So I started with Reset-Password Functionality, Where the Request looks like this👇
And the response is :
Everything will be fine Until We change the Parameter “status”: “fail”. Even on Changing the parameter, It sends the OTP to the Registered Mobile Number but this allows us to BruteForce the OTP[No-Rate-Limit Vulnerability].
“Logical Error leads to No-Rate-Limit”
How I managed to Bypass OTP which works for only 1 time😈
After Modifying the Value, The User will get an OTP[It actually informs the user]to his/her Mobile Number. So I entered some Random OTP so that I can brute-force for the Correct OTP.
You may think that you can change the value to “status”: “success” to bypass the OTP, But It won’t work because the validation is being done on Server Side. Now the only option I had is to BruteForce for the OTP and I did it.
- The Correct OTP gives you a length of 575, whereas all other OTP’s give you the length of 574.
After getting the OTP, I immediately modified the value and Entered the Correct OTP in my previous Request.
Now you can see that still, we get “status”: “error” because as I said, It’s checking on both ends, Server Side as well as on Client Side.
- Our Code is already validated during the Process of Brute-Forcing, So now as you anticipated we can just change the value to “success” to bypass this OTP on Client-Side.
Now I can change the Password for Any User!!😁 and I can log in into any User-Account aka [Account-Takeover Vulnerability]
Ending Note 😣
I apologize to every single person who felt that this blog is like a Walkthrough/Report. I tried to explain everything in detail and that’s the reason behind pasting all those screenshots. I promise you that I will write at least 1 Blog per week😅. Let’s Learn Together and Grow Together.
If you are facing any problems in your learning or having any doubts regarding my blogs, please feel free to Connect me 😁❤️
You Can Follow me on :
Twitter ❤️: https://www.twitter.com/gowtham_ponnana
Instagram❤️: https://www.instagram.com/gowtham_ponnana
Gmail❤️ : gowtham.official45@gmail.com
[Note]: I sincerely suggest people join our Discord Community to learn more about Cybersecurity Stuff.
Discord: https://discord.gg/gY35nHX7gu
Thanks and Regards,
GOWTHAM NAIDU PONNANA