Today I will tell you how I was able to find account takeover due to no rate limit on OTP.
I was finding a target to start a bug hunting so I found a target which as scope as signup page and login page.
I started with creating a account on it and then I notice that the target send an otp to user mail for account confirm but when I try to copy and see the url send for account confirmation is look like this:
I notice that the code in urls is same as send to my mail and also my emails it inbuilt so from there I notice that the account where I have to put otp doesn’t have recaptcha to fill so I can easily bruteforce the otp
OTP is 6 digit so I used use burp suite intruder and send request request each request was 401 unauthorized but the one is 200 OK the right otp is and I enter it and able to get access without the link this can attack in this scenario if you have victim email you can create account using victim mail.
Way 2
I notice same with reset password so I more happy and try this again and when I try to reset password the link for it and it was also same as last so I can re bruteforce it:
and yay I was able to takeover any account.
Thank you!
Hope you understand.
I was finding a target to start a bug hunting so I found a target which as scope as signup page and login page.
I started with creating a account on it and then I notice that the target send an otp to user mail for account confirm but when I try to copy and see the url send for account confirmation is look like this:
Code:
https://redacted.com/out/register/codeverify?email=username@gmail.com&code=418690
I notice that the code in urls is same as send to my mail and also my emails it inbuilt so from there I notice that the account where I have to put otp doesn’t have recaptcha to fill so I can easily bruteforce the otp
OTP is 6 digit so I used use burp suite intruder and send request request each request was 401 unauthorized but the one is 200 OK the right otp is and I enter it and able to get access without the link this can attack in this scenario if you have victim email you can create account using victim mail.
Way 2
I notice same with reset password so I more happy and try this again and when I try to reset password the link for it and it was also same as last so I can re bruteforce it:
Code:
https://app.redacted.com/out/resetpass/change?email=username@mail.com&code=494866
Thank you!
Hope you understand.