Bypass 2FA Using Status Code Manipulation

Hello, my name is Muhammad Daffa, in this post I want to share about a vulnerability that I found on a private program

First, when I’m login to the website, it requires an OTP code to go to the dashboard, in this case, I’m using random OTP code to test the website. The request will look like this:

POST /api/2fa/verify-code/ HTTP/1.1
Host: site.com
[...]
{"code":"12345","remember_me":false}

And the response looks like this

HTTP/1.1 404 Not Found
[...]
{"status":"Wrong code"}

But if I am inputting the right OTP code, the response will look like this

HTTP/1.1 200 OK
[...]
{"id":"111111111-aaaa-dddd-fffff-xxxxxxxxxx","code":"123456"}

And then I’m thinking, how about I change the response code in the response? So when I intercept the request, I am intercepting the response too. So, from 404 Not Found, I change the status code to 200 OK. The response will look like this

HTTP/1.1 200 OK
[...]
{"status":"Wrong code"}

And suddenly I logged in to my account without using the right OTP code. Quickly I reported it to the company and I was rewarded with $$$

That’s it for this writeup from me, I hope you guys enjoying it.

• December 2020 -> Triaged
• February 2021 -> Rewarded