Changing True to False??
Yeah, We are going to take a look at something called Response Manipulation. It’s simple, but powerful.
While doing a PT project last week, I have found a login page. Login pages are always a nice place to find bugs; Possibilities are infinite😋.
Register >> Fill details >> Capture request with any random OTP >> Exploit
Let’s play with captured request.
Let’s take a look at request and response.
We can see a false over there.
Let’s modify false to true.
Right click >> Do intercept >> Response to this request >> Modify >> Forward
Simple OTP bypass trick. Also check for Rate limit and if it’s absent brute force it.
You can try this trick on anywhere, sometimes on status code (status: 200), privilege (isAdmin = “true”), verification (verified: “true”), etc.
Simple as that, any doubts or suggestions?? Message me