Hi everyone , I have found this bug on a public program on h1 some times back.
The website is having a registration process in which you have to fill your phone number to be able to register.
After providing phone number, email, username & details , you have to verify the phone number by giving 6 digit OTP code for successful verification.
After providing 6 digit OTP ,and verifying the captcha service and then hit register and intercepted this request.
So i just intercepted this POST Register request in burp and then started playing with this request’s parameters.
So what i tried is basically using this single “OTP Verified & Captcha verified” request to register multiple accounts with just different usernames.
I send this POST request to turbo intruder and then just manipulated parameters with injection point as -
username- abc123%s , email- abc123%s@gmail[dot]com
Then used the turbo intruder’s default race.py script with injections points customisation according to number of parameters.
Then just Attack this request .
Then in the status code of the Turbo Intruder, i have got 3 requests as “302”, which basically means i have created 3 different accounts by using “Single OTP verification and single Captcha Verification”.
25th Nov 2019 Submitted the report
25th Nov 2019 Triaged , marked it as High
28th Nov 2019 $1,000 Bounty