Featured Image

Response Manipulation Led to Authentication Bypass Vulnerability Description

Title: Response manipulation led to Authentication bypass Vulnerability Description

INTRODUCTION

Response manipulation is a technique where attackers make changes in the response before it reaches the browser. With the help of response manipulation, sometimes you can bypass 2FA or Authentication and many more things.

eSecForte Technologies Security Researcher – Abhishek Pal reported a 2FA bypass in P3 severity and an Authentication Bypass in P1 severity. Both vulnerabilities Got Accepted and rewarded. In different Severity.

Description: This attack is called Response manipulation. Here, the Attacker is able to know the victim’s email address and By reproducing the same step attacker is able to take over the victim’s account

Platform/Product: Example.com

Vulnerability Name:

Affected Component: Reset Password Functionality

Attack Type: 

Impact

The attacks use this attack to take over the full account of the Victim. The attacker can change the response on the server side and execute on the client side.

Recommendation:

  1. The entire login flow was revamped and the client-side JavaScript validation was removed the application was not accepting any user value to the response and manipulating the response gave us an error message.

Method of Exploitation

Steps to Reproduce #:-

1- Navigate to the URL. Create accounts at [email protected].

2- Go to reset password functionality.

Go to reset functionality

3- Open Gmail you received an OTP having 6 digits.

3- Open Gmail you received an OTP having 6 digits.

4- Enter the wrong OTP and Click on Verify OTP

Forgot Password

5- Capture the request on the burp-suite and intercept the request and send it to the response to the request.

Capture the request on the burp-suite and intercept the request and send it to the response to the request.

6- It shows 200 OK with the error=False.

It shows 200 OK with the error=False.

7- Change the success parameter value from false to true.

7- Change the success parameter value from false to true.

8- The server accepts the response and redirects to the Forget password page.

8- The server accepts the response and redirects to the Forget password page.

9- Set the new password and Click on the save password. The victim’s account password has been changed and logged in to the account

Change the password

[Discoverer]                                                                                                      

Abhishek Pal from eSec Forte Technologies Pvt. Ltd

view Submissions