🎨
Findings
  • Discovered Vulnerabilities
  • Finding Security Vulnerabilities in Android Applications
  • API Endpoints lead to Sensitive Information Disclosure and PII leakage of Employees
  • HTTP Dangerous Methods Enabled - P1
  • Subdomain Takeover
    • Subdomain Takeover
  • XSS
    • XSS on error page
    • Interesting XSS
  • 2FA Bypass
    • Brute-force Protection Bypass
    • Response Manipulation
  • Crazy Account Highjack
  • OAuth Misconfiguration
  • Open Redirect
    • Open Redirect >> XSS
    • Automation
Powered by GitBook
On this page

Was this helpful?

  1. 2FA Bypass

Response Manipulation

Read about how I was able to bypass OTP verification

PreviousBrute-force Protection BypassNextCrazy Account Highjack

Last updated 3 years ago

Was this helpful?

I'll just keep this short and simple:

First I checked the response when the correct code was entered. It was a 301 Moved Permanently I copied the entire response and saved in a text file.

Then I entered the wrong OTP and the response was 200 OK with an error message "Wrong code entered"

So I changed the response according to the previously saved response but keeping other authentication related parameters same.

After I forwarded the response back to the browser, I successfully bypassed the code verification functionality.

Easy exploitation -> High Impact -> Good reward

✌️
👨‍💻