Hello everyone, for my first blog in this blog, I will explain How I can Account Take Over any Account .
Let’s Begin
Reconnaissance
While I do Subdomain Enumeration I looked at Sub Domain it was interesting It was Like This { app.dev.Target.com } So The Subdomains It was a copy of the original site
So Now After I finish Subdomains Enumeration I Start to browse The Subdomains one By one And try all The functions to understand The Target
So While I Browse The Main Domain I looked at the login Function The registration method was by number only , So I entered my number the verification was OTP 4 Digit!
I was surprised when the first thing that came to my mind was the brute force of the number But unfortunately They Have A Rate Limit
So I Start To Find a Method To Bypass It
Trying to change IP origin using headers
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwared-Host: 127.0.0.1
But it didn’t work ): And also I tried to Using similar endpoints, But it didn’t work ): And also I tried to Adding extra params to the path But it didn’t work ):
I tried a lot of Method to Bypass it but it didn’t work
So I said let me move on To Other Functions But I remembered The interesting Sub domain { app.dev.Target.com }
Why don’t I try it To Brute Force The OTP ?
I tried but unfortunately it Have A Rate Limit, But I Said Why Not To Try To Bypass This Also ?
So I try To Changing IP origin using headers
X-Forwarded-For:
And it worked ! I succeeded To Bypass The Rate Limit !!
So Now I can Take Over any Account Just by knowing the Phone number !
Takeaways
- Don’t Give Up
- Try All The Methods To Bypass : )
- Thank you for reading