How I was able to verify any contact number for my account?

OTP Bypass | Second Factor Authentication (2FA) Bypass

Let’s come to the point directly.

Goal: Adding and verifying any phone number without providing OTP

Website name changed to : Redacted.com

I was enumerating a subdomain of redacted.com i.e subdomain.redacted.com

Registered and made account on this and was struggling to find something in this portal.

I got a feature of adding a phone number, I thought to add. my phone number so I provided mine and verified the OTP but I intercepted the response and analysed it.

Try1: I edited my phone number to my other phone number and again it sent an OTP but this time I decided to not provide correct OTP, I started manipulating the response and failed.

Now I compared the response of correct OTP and Invalid OTP

the difference was in response code and a JSON message

Incorrect OTP Response code: 400

Failed JSON message : {“verificationCode”:[{“Code”:”invalid.code”}]}

Bypass: I modified the response code to 204 NO CONTENT Which means The server has successfully fulfilled the request and that there is no additional content to send in the response payload body.

Question : Why I changed response code to 204?

Answer: Because when I registered my own number with valid OTP I analysed the response and It was having valid response with a code of 204.

That was simple though !!

Linkedin: Paras Arora

Twitter: Paras Arora

Social media: @parasarora06 , Penetration Tester | Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store