Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAbhishekbaruH1:165854
HistorySep 05, 2016 - 11:51 a.m.

OLX: Bypassing Phone Verification For Posting AD On OLX

2016-09-0511:51:47
abhishekbaru
hackerone.com
363
JSON

Overview
In computer networks, rate limiting is used to control the rate of traffic sent or received by a network interface controller. It can be induced by the network protocol stack of the sender due to a received ECN-marked packet and also by the network scheduler of any router along the way.
Proof Of Concept:Steps To Reproduce
1.Click On Submit The Add Button.
2.Add Details According to Your Wish.
3.Add Victim Phone Number In Phone Number Section.
4.It Will Ask For The Verification Code.
5.Intercept The Request and Send it to Intruder.
6.Load Simple List Of 10,000 Words.
7.Start The Attack and You Can easily get the new code.(Image Attached)
Risk:You Can Post An Ad By Any phone number,Hence the person can be annoyed,Decreasing the reputation of Olx.
When the correct code is found The Response Becomes 301 and length 579.
Hence ,The hacker can detect the code easily by filtering the responses.
FIX: There should be rate limiting on the OTP parameter for the AD Section.
I was able to successfully post the add,See the image for proof.

Thanks And Regards
Abhishek

JSON