Functionality Bypass — IDOR
OTP Bypass to IDOR (Insecure Direct Object Reference)
Hello readers, so today I’m gonna talk about how the weaker implementation of an OTP functionality in an application allowed me to access the critical customer data, download the KYC details uploaded by the customer, and make a false payment on behalf of a legitimate customer. Let the hunt begin.
During a recent pentest, I stumbled upon a policy tracking application that had a flawed OTP verification process and accepts any arbitrary OTP values. A malicious actor with the knowledge of the customer’s mobile number and DOB (which was found hardcoded within the publicly available assets files) can access sensitive customer information such as account balance, recent transactions, and perform actions like Blocking cards, setting a PIN, etc.
As shown in the Figure below, the sensitive details such as policy number, mobile no., etc. were found to be hardcoded within the publicly available assets files.
Other sensitive details such as name, address, etc were identified to be hardcoded as shown in the Figure below;
Let’s try to log into the application with the available data
The application verifies the user details (as provided in the above screen) and sends an OTP (One Time Password) on the registered user’s mobile number and presents an OTP verification screen. Enter any arbitrary value in the OTP and submit the form.
As shown in the Figure below, the application doesn’t verify OTP value and accepts any arbitrary value
The application further displays the list of the policy details, allows to make a payment, gain unauthorized access to sensitive details, downloads the KYC details uploaded by the customer, etc. as shown in the Figure below
Further, I gained unauthorized access to arbitrary customer’s policy details as shown in the Figures below;
Furthermore, I was able to gain unauthorized access to the sensitive information uploaded by the authenticate customer. Also, I was able to download the KYC details uploaded by the customers as shown in the Figures below;
Further, due to some limitations in the testing, I was unable to make out a false payment on behalf of the legitimate customer as shown in the Figure below.
After getting a redirection to the payment gateway, the application stops responding, and throws a blank screen as shown in the Figures below;
Further Scenarios:
1. Make unauthorized payments on behalf of the valid customer
2. Bypass the payment and make a successful transaction with the low amount to that of the actual amount
Thank you All for making out the time and reading this article.
Stay Tuned for another interesting attack!!
You can connect with me @https://github.com/InfoSecAntara
