Hello Guys,
Today I’ll show you my finding on one of Indonesian E-commerce
Let’s check this out
I found this bug when create new account, where we have to do validation phone number.
In this case we should input 6 number for validation, first I want to do brute force attack on this page, but when I intercept the request using burpsuite, I found paramater name is code.
POST /otp/ HTTP/2
Host: <<website.com>>
……
kode=322071&k1=1&k2=1&k3=1&k4=1&k5=1&k6=1&cekk=Verifikasi
I took the initiative to input the code for confirm the OTP, yeah as you predicted I success to get through this step, in other words OTP is Bypassed
I immediately made a report to the website, and the result is Valid but Out of Scope.
But is good, because they appreciate with Hall of Fame and Certificate.
Thank you :)
TIMELINE :
Report : 5/1/2023
Valid : 7/1/2023
Reward : Hof & Certificate