OTP Bypass via response manipulation

Hello Hunters, today I'm going tell about my one of the finding in which I'm able to bypass the OTP page. So let’s begin.

It’s an private program so, I'm not disclose it’s name, let’s call as example.com

Now the example.com allows user to register and use it’s functionality but before that user have to enter the OTP to confirm the email.

I simply put the details on registration page and after submitting the data, I landed on OTP page.

It’s an 4 digit OTP so it can be bruteforce but before that I've tried 0000 to check the proper validation because sometimes developers use 0000 OTP as testing but unfortunately it did not accept.

Application throws an error “Incorrect code” with response code 401 Unauthorized.

Now I try second time and again enter wrong OTP and click in verify and intercept the response for this request and this time I've just change the response status code from “401 Unauthorized” to “200 OK” and the OTP page was bypassed and I’m successfully logged in.

This happens because some application only rely on the server response to validate. Sometimes on status code or message, it depends on developers on coding style.

Stay Safe. So thank you for reading. :)