Mass Account takeover by bypassing 2 FA
Hey fellow hackers,
I'm not gonna bore you with a long story of this pentest project. Last month I was working on a Pen-testing project and I found multiple critical & high vulnerabilities and I'll cover the interesting findings only. I won't share the name of the application let's assume it's redacted.com it has multiple subdomains but my focus was on the main domain. So, on the main domain, it has a login portal and from there users and admins can login to their dashboard. It was a grey box Pen-testing I tried to login as an admin with the admin credential and it was a successful login but it asked for the OTP since 2fa is enabled just for the admin, not for normal users. So, upon successful login it asks for OTP in the new HTTP request it asked only for userID and the parameter was OTPUserId=5 digit numbers by replacing this userId I was able to login to another user account and it wasn't validating the LoginOTP parameter. Later I found that without authentication just by sending a post request to that endpoint with the parameter "OTPUserId" and "LoginOTP" I was able to login just by providing anyone's userid.
As you can see in the above Screenshot just by providing userid I was able to login into anyone's account. The first part is finished here.
Admin account creation with normal user
So in the first part, you can see that an attacker was able to login into anyone's account without a username and password just by typing random userID. So after authentication into any user's account, I was able to navigate to the admin panel by just visiting redacted.com/admin/dashboard from there most of the admin functionalities were accessible and the interesting one was the "User Management" section I was able to create users with custom roles either admin or normal user and I created an admin account just for the testing purpose it was working I was admin without credential I was able to create an admin account and then take over the whole admin panel.
Things to remember
By reading their Js code I was able to login into anyone's account without credentials and then I found that "/admin/dashboard" was accessible for authenticated users but doesn't check if the user is an admin or a normal user and then from "User Management" section I was able to create admin account.