How I approach Account takeover due to no rate limit on OTP 👍

[Man]

Today I will tell you how I was able to find account takeover due to no rate limit on OTP.

I was finding a target to start a bug hunting so I found a target which as scope as signup page and login page.

I started with creating a account on it and then I notice that the target send an otp to user mail for account confirm but when I try to copy and see the url send for account confirmation is look like this:

https://redacted.com/out/register/codeverify?email=username@gmail.com&code=418690

I notice that the code in urls is same as send to my mail and also my emails it inbuilt so from there I notice that the account where I have to put otp doesn’t have recaptcha to fill so I can easily bruteforce the otp

OTP is 6 digit so I used use burp suite intruder and send request request each request was 401 unauthorized but the one is 200 OK the right otp is and I enter it and able to get access without the link this can attack in this scenario if you have victim email you can create account using victim mail.

Way 2
I notice same with reset password so I more happy and try this again and when I try to reset password the link for it and it was also same as last so I can re bruteforce it:

https://app.redacted.com/out/resetpass/change?email=username@mail.com&code=494866

and yay I was able to takeover any account.

Thank you!

Hope you understand.