Hope you are doing well. I am back with another bug.
Whoami: I am Shesha Sai C, Im a bug bounty hunter and security researcher
Let us consider the site as redacted.com as the program does not support disclosures.
I know lot of you guys think this as such a drag but this blog is not about the target, it is about knowledge sharing.
Lets Dive in!
The application does not have much of scope to hunt on all it contains a signup and login page with phone number that shares OTP, No PII disclosure all technologies are up-to-date. Damn!!!! i know the feeling and i was like
Now, time where the story begins the signup page contain that the application allows only users from Russia to signup or enroll for an account, but we don’t have any Russian numbers.
Trail 1: trying to bypass this using my own number in the place of Russian ph number — no luck!, it accepts only numbers in Russian format
Trail 2: Tried with intercepting the Russian number field in burpsuite and without sending this to repeater changed the country code to +91 and my ph and send the request — guess what! it worked, i received a call for OTP validation
I have given the OTP and clicked on Verify it blocked me
Trail 3: Tried with intercepting both the OTP generation request and OTP verification request in burpsuite and changing the number and country code- It Worked Amigos!!
Steps to Reproduce:
- Visit the signup page: https://redacted.com/signup
- Give any russian phone number you can get it from receive-sms-online
- intercept the request and change it to your number and you will receive a call with OTP
- Input this OTP and intercept on -> click on verify and again change the country code and number
- You’re logged in as the Russian number user and same works with Login.
Tip: Once a great man said when you’re stuck take a cup of boost and try again- PS: it is me
Timeline: This bug was submitted 3 months back and was remediated.
Hope you learned something new and let’s catch up in next story.