Response Manipulation

Read about how I was able to bypass OTP verification

I'll just keep this short and simple:

First I checked the response when the correct code was entered. It was a 301 Moved Permanently I copied the entire response and saved in a text file.

Then I entered the wrong OTP and the response was 200 OK with an error message "Wrong code entered"

So I changed the response according to the previously saved response but keeping other authentication related parameters same.

After I forwarded the response back to the browser, I successfully bypassed the code verification functionality. ✌️

Easy exploitation -> High Impact -> Good reward 👨‍💻