INTRODUCTION
Response manipulation is a method whereby assailants effect alterations to the response prior to its delivery to the web browser. Through the employment of response manipulation, it is occasionally feasible to circumvent 2FA or Authentication mechanisms, among other functionalities.
Description: This attack is denominated Response Manipulation. In this scenario, the assailant gains access to the victim's email address. By replicating the identical steps, the attacker seizes control of the victim's account.
Platform/Product: Example.com
Affected Component: Reset Password Functionality
Impact: The attackers utilize this technique to commandeer the entire account of the victim. The assailant possesses the capability to modify the response at the server level and execute actions on the client side.
METHOD OF EXPLOITATION
1. Navigate to the URL and create an account using Abc@gmail.com
2. Access the password reset functionality.
3. Open Gmail to receive a 6-digit OTP.
4. Enter an incorrect OTP and click on "Verify OTP".
5. Capture the request using Burp Suite, intercept it, and forward the response to the request.
6. The response shows "200 OK" with the error parameter set to "False".
7. Modify the value of the success parameter from "False" to "True".
8. The server acknowledges the response and redirects to the "Forget Password" page.
9, Set a new password and click on "Save Password". The victim's account password is successfully changed, allowing access to the account.
AUTHENTICATION BYPASS VULNERABILITY
Re: AUTHENTICATION BYPASS VULNERABILITY
To apply Burp Suite in a practical context based on the response manipulation tutorial we discussed, here's a step-by-step guide. This example demonstrates how to intercept and modify a server response to bypass OTP verification during a password reset process.
Prerequisites
Ensure that Burp Suite is installed and properly configured.
Configure your browser to use the Burp Suite proxy (127.0.0.1:8080 by default).
Have access to an application or website to test, in a legal and ethical testing environment.
Practical Application Steps
Start Burp Suite and configure the proxy:
Launch Burp Suite and make sure the "Proxy" > "Options" module is configured to listen on 127.0.0.1:8080.
Configure your browser to use this proxy.
Enable interception:
In Burp Suite, go to "Proxy" > "Intercept" and ensure the "Intercept is on" option is activated.
Password reset process:
Using the configured browser, initiate the target application's password reset process until you receive the OTP (this part is just to simulate the action up to receiving the server response you wish to modify).
Intercept the server's response:
When you enter an incorrect OTP and submit it, Burp Suite will intercept the request if the "Intercept is on" option is active.
Click "Forward" in Burp Suite to continue until you intercept the server's response indicating the OTP verification failed.
Modify the response:
In the "Intercept" tab, with the server response intercepted, modify the part of the response indicating that the OTP verification failed. For example, change a response parameter from { "success": false } to { "success": true }, or a similar modification according to the application's logic.
Send the modified response:
After making the modification, click "Forward" in Burp Suite to send the modified response to the browser.
Observe the effect:
If the manipulation is successful, the web application should act as if a valid OTP had been entered, potentially allowing further actions, such as resetting the password.
Prerequisites
Ensure that Burp Suite is installed and properly configured.
Configure your browser to use the Burp Suite proxy (127.0.0.1:8080 by default).
Have access to an application or website to test, in a legal and ethical testing environment.
Practical Application Steps
Start Burp Suite and configure the proxy:
Launch Burp Suite and make sure the "Proxy" > "Options" module is configured to listen on 127.0.0.1:8080.
Configure your browser to use this proxy.
Enable interception:
In Burp Suite, go to "Proxy" > "Intercept" and ensure the "Intercept is on" option is activated.
Password reset process:
Using the configured browser, initiate the target application's password reset process until you receive the OTP (this part is just to simulate the action up to receiving the server response you wish to modify).
Intercept the server's response:
When you enter an incorrect OTP and submit it, Burp Suite will intercept the request if the "Intercept is on" option is active.
Click "Forward" in Burp Suite to continue until you intercept the server's response indicating the OTP verification failed.
Modify the response:
In the "Intercept" tab, with the server response intercepted, modify the part of the response indicating that the OTP verification failed. For example, change a response parameter from { "success": false } to { "success": true }, or a similar modification according to the application's logic.
Send the modified response:
After making the modification, click "Forward" in Burp Suite to send the modified response to the browser.
Observe the effect:
If the manipulation is successful, the web application should act as if a valid OTP had been entered, potentially allowing further actions, such as resetting the password.
-
FidoDido24
- Posts: 14
- Joined: Wed Feb 28, 2024 11:01 pm
Re: AUTHENTICATION BYPASS VULNERABILITY
Friend, thanks for the tutorial. I was carefully following the steps, trying with my Gmail account, but when I reached the next point I couldn't find a way to continue:
"Click "Forward" in Burp Suite to continue until you intercept the server's response indicating the OTP verification failed.
Modify the response:
In the "Intercept" tab, with the server response intercepted, modify the part of the response indicating that the OTP verification failed. For example, change a response parameter from { "success": false } to { "success": true }, or a similar modification according to the application's logic."
There is nothing in the parameters that tells me what I need to change to allow me to continue. I attach below the Burp dialog box at the time of being intercepted in that instance:
POST /gts1c3 HTTP/1.1
Host: ocsp.pki.goog
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: es-AR,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/ocsp-request
Content-Length: 84
Connection: close
Pragma: no-cache
Cache-Control: no-cache
0R0P0N0L0J0 +
Will it work if I try with another browser? thank you
"Click "Forward" in Burp Suite to continue until you intercept the server's response indicating the OTP verification failed.
Modify the response:
In the "Intercept" tab, with the server response intercepted, modify the part of the response indicating that the OTP verification failed. For example, change a response parameter from { "success": false } to { "success": true }, or a similar modification according to the application's logic."
There is nothing in the parameters that tells me what I need to change to allow me to continue. I attach below the Burp dialog box at the time of being intercepted in that instance:
POST /gts1c3 HTTP/1.1
Host: ocsp.pki.goog
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: es-AR,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/ocsp-request
Content-Length: 84
Connection: close
Pragma: no-cache
Cache-Control: no-cache
0R0P0N0L0J0 +
Will it work if I try with another browser? thank you
-
ethical hacker
- Posts: 62
- Joined: Thu Feb 29, 2024 10:48 pm
Re: AUTHENTICATION BYPASS VULNERABILITY
FidoDido24, the aforementioned methods are solely applicable to web pages and do not extend to SMTP services such as Gmail, Hotmail, Outlook, and the like.
Furthermore, they prove ineffective when dealing with substantial platforms like those of Amazon, eBay, PayPal, and others of similar stature. To address these entities, more refined methodologies are requisite. However, it is worth noting that this tutorial is designed exclusively for testing select web pages.
Furthermore, they prove ineffective when dealing with substantial platforms like those of Amazon, eBay, PayPal, and others of similar stature. To address these entities, more refined methodologies are requisite. However, it is worth noting that this tutorial is designed exclusively for testing select web pages.
Re: AUTHENTICATION BYPASS VULNERABILITY
What sites does this work?