You know that vulnerability that says "the developer must have the intention to collaborate with an attacker"? Well, this post is about that. Nowadays, it is rare to find applications whose login process consists only of basic authentication (login and password), but OAuth and MFA are increasingly being adopted. However, it is common for there to be flaws in the implementation of these technologies, leaving room for circumvention.
One of the most basic forms of 2FA is email confirmation with 4-digit codes (sometimes called OTPs) - which can also be used to reset your password or even register new accounts.
There are a wide range of attacks in this case, such as type confusion, OTP leak in HTTP response or 0000 attack. But, a very simple technique is to simply intercept the request response and change the status code to 200 (I know it doesn't seem like it works, but it does).
This happens because the application makes a comparison on the frontend based solely on the response.status_code property, and if it is 200 it authenticates.
Although it is a relatively simple and even funny attack, just search bug bounty platforms for reports of this category (or even PoC videos on YouTube), and you'll find a lot of them.
Tip: Instead of going crazy and injecting payloads, take the time to read the website's source code and understand what it actually does.
Top comments (0)