Simple Parameter Tampering → Account Takeover

Introduction:

Hi everyone! 🎉

Darshan this side . This is my 1st writeup .😃 On How I was able to login into any user account without user interaction.

Well, I think it’s enough introduction, let’s get started!

What is Parameter Tempering ?

The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.

I was hunting on target which is online lecture and exam site . I cannot disclose name of company.😪 let’s call it target.com .

Scenario:

Attacker can get victims OTP on attackers phone by Tampering phone number parameter .

Reproduction steps:

Attacker want to get access to victims account

1. Attacker will visit Target.com/login.html
2. Attacker will add victim phone number (91xxxxxx27) in sign up box

3. Attacker will capture request in burp suite

4. Now attacker will add one more parameter as “phone”:”attackers phone number “ eg. “phone”:”96xxxxxx65 “

5. Now attacker got OTP on attackers number 96xxxxxx65

6. Attacker will fill OTP on Target.com/login.html and got access to victims account.

===

Timeline:

20 April → Bug Reported

21 April → Report Triaged

22 April → Marked as Duplicate 😭

I hope you guys enjoy reading my writeup!, follow me on Twitter , LinkedIn ,Instagram . see you on the next bug bounty writeup!