Email Verification Bypass + 2FA bypass-Bugbounty #150$
Let me thank all the bug bounty hunters over there who are creating great content and inspiring a lot of people like me.
Thank You, community folks, @stokfredik @hakluke @farah_hawa01 @dhakal_ananda @adityashende17 Bugcrowd
Mentors: @akhilreni_hs @rakesh_3895
Hello Everyone,
Welcome to another blog.
To people who don’t know me myself Ganesh, I am a security analyst at WesecureApp and a Part-time bug bounty hunter at Bugcrowd.
Rate Limitation:
A brute force attack can manifest in mainly different ways but primarily consist of an attacker configuring predetermined values, making requests to the server using those values, and then analyzing the responses. The attack takes advantage of the fact the entropy of the value is similar to perceive.
Attack Scenario:
I was trying to find subdomains in an application using sub finder tool.
I used httpx tool to list out live domains.
Command:
subfinder -d “domain.com” -silent | httpx -title -content-length -status-code -silent
I Randomly selected a domain and visited the URL and there was an option to signup Entered necessary information and clicked on sign up after few minutes I got a confirmation Mail
Observe this URL:
So parameter “t” is having 5 digit OTP value just captured the request and I have tried brute-forcing and was able to verify any email Id because of no rate limitation Implemented.
I was about to report this, But I thought let’s complete the whole sign-up process and check if there’s a 2FA authentication.
What is meant by two-factor authentication?
Two-factor authentication (2FA) is the second layer of security to help protect an account or system from unauthorized users. Users must go through two layers of security before being granted access to an account or system.
I logged into the application and upon selecting Profile there’s an option to enable 2FA. I have enabled it so now whenever you are trying to sign in it sends an OTP to the user To do the login.
So I entered 12345 and Tried brute-forcing but there’s rate limitation in place and blocking the requests.
Mmm, What to do?
I just entered the original OTP which I got and observed the response. Into the response I have observed there’s a parameter stating “status”: true.
So I thought let’s do log out then trying login and enter a random 5 digit value (for e.g:12345)change the response state from false to true let’s see what happens then?
Luckily, It got bypassed and was able to access the application functionality.
Appreciation:
Bounty Rewarded:
Note:
Always, writing a good report is Important because I got extra 50$ bounty and always try to chain the vulnerabilities by that It will have more impact.
Thanks for reading my blog.
Follow me at twitter.com/ganiganeshss79
