Hi ppl! This is Gnana Aravind with another write-up on the most curious “Login Page Bypass”. Let’s jump into the story…
Few days back I taught of ordering a product in an eCommerce site and visited it. Found that they were using mobile number and OTP for logging in to the site and then I taught of testing bugs, after seeing their functionalities.
Jumping into the Bug
Soon I started to find some basic vulnerabilities and did some recon. With lot of failures finally I came to the login page and started to test there. While intercepting the requests, just found something like the one below.
We can see there are three paras, otp, mobile number and otp mode. After seeing this, My next step was ???
Have you guessed, yes its the same and I started playing with parameter tampering. If you have no Idea about Parameter Tampering, have a look at the below article.
While intercepting the response for the above request it was something like the one below.
Here we can see two parameters, status and message. I noticed that for a positive login(for correct otp) the status parameter was giving “true” and for a negative login(for wrong otp) the status parameter was “false”.
So my next step was, for a negative login(giving wrong otp) I changed the parameter “false” to “”true” and you know WHATTT !!!
THE LOGIN GOT BYPASSED, AS SIMPLE AS THATT
I was like…
Steps to Reproduce :
- Visit the login page and make a positive login and capture the request and response.
- Now make a negative login with false credentials and try to change the available parameters to positive one as I did.
- Refer Hackerone reports to get some parameters to bypass if you have no idea about positive/negative parameters.