As we can see, there is a registration phase. By trying random data in all the fields, such as aa, I noticed that there was no validation on the data’s correctness. Subsequently, you are redirected to /dashboard, where this input for an OTP (One Time Password) appears:
OTP
However, since I didn’t have it, I decided to analyze the request with Burp:
Invalid OTP
So, I decided to send the request to Burp’s Repeater and perform some tests, such as sending an empty OTP (which didn’t work). From here, we can proceed with the exploit.
🔬 Vulnerability Analysis
Potential Vulnerabilities
Broken Access Control
🎯 Solution Path
Exploitation Steps
Exploitation
The exploit wasn’t too complex; it was simply a matter of removing the otp parameter from the request using Burp, and then the flag was displayed in the response.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The exploit first extracts the CSRF Token, as it wouldn’t work without it. Then, it proceeds with the registration phase using random data such as aa for each field. Finally, it makes a POST request to /dashboard without specifying the otp field, as there is no validation, and when the field is not provided, access to the flag is granted.
Automated FlagScreenshot of successful exploitation
🔧 Tools Used
Tool
Purpose
Python
Exploit
Burp Suite
Web Testing
💡 Key Learnings
New Knowledge
I learned that sometimes, by not specifying a parameter, the server might expect it, but due to insufficient validation, unexpected behavior could occur.
Time Optimization
Sometimes, trying to remove parameters from the request to observe the server’s behavior can be useful.
