During a recent white-box penetration testing engagement, I discovered two serious vulnerabilities in a web application used by service providers to manage customer data for client companies.

Due to responsible disclosure, I will not mention the website name or identifying details. However, this write-up explains the vulnerabilities and the methodology used to discover them.

The two issues identified were:

  • OTP Validation Bypass in the Login Process (High Severity)
  • Insecure Direct Object Reference (IDOR) in the Data Export Function (Critical Severity)

For testing purposes, I used two accounts with the same read-only privileges, referred to as:

  • Test-1
  • Test-2

1. Application Login Flow

The application implemented a login mechanism that appeared to use OTP-based Two-Factor Authentication (2FA).

The login process worked as follows:

  1. Enter username (email).
  2. Request OTP code.
  3. OTP is sent to the user's email and is valid for 5 minutes.
  4. Enter password and OTP to complete authentication.

Once all credentials are entered correctly, the user is redirected to the account dashboard. Since authentication is a critical component, I focused my testing on the login process.

2. Testing the Authentication Flow

I used Burp Suite to intercept and analyze the login requests.

Steps performed:

  1. Logged into Test-1 account while intercepting traffic.
  2. Observed the authentication API requests.
  3. Tested common authentication validation scenarios such as:
  • Incorrect username
  • Incorrect password
  • Incorrect OTP

While performing these tests, I discovered something unexpected.

3. OTP Validation Bypass (High Severity)

I attempted to log in using the following credentials:

  • Correct email
  • Correct password
  • Random OTP

Surprisingly, the application successfully authenticated the user.

This indicated that the backend did not validate whether the OTP was correct.

Impact

Although an attacker would still need the correct email and password, the OTP verification step was effectively useless.

This completely breaks the concept of Two-Factor Authentication (2FA) because:

  • OTP is generated
  • OTP is delivered
  • But the server never verifies it

Security Risk

An attacker who obtains valid login credentials can bypass the second authentication factor entirely, reducing the system to single-factor authentication.

4. IDOR in Data Export Function (Critical Severity)

After authentication testing, I explored the dashboard functionality.

My Test-1 account had permission to:

  • View company data
  • Export company information

When exporting data, I monitored the request in Burp Suite.

Observed Request

GET /frame-admindashboard/ProfileData/Data/list?pageNum=1&pageSize=10&beginTime=&endTime=&mnocode=0600

One parameter immediately stood out:

mnocode=0600

This appeared to represent a company identifier.

5. Testing for Authorization Issues

I sent the request to Burp Repeater and modified the parameter:

mnocode=0500

The response returned data belonging to another company.

This confirmed the presence of an Insecure Direct Object Reference (IDOR) vulnerability.

6. Impact of the IDOR

Because the application did not validate whether the logged-in user was authorized to access the requested company data, an attacker could simply change the mnocode parameter.

This allowed access to sensitive data from other companies.

Potential risks include:

  • Exposure of business data
  • Unauthorized data downloads
  • Possible mass data harvesting by iterating through different mnocode values

Since the application handles client company information, this vulnerability could lead to serious data breaches.

7. Recommended Fixes

Fix for OTP Validation Issue

  • Ensure OTP is validated server-side before authentication succeeds.
  • Enforce strict verification of the OTP value.
  • Implement rate limiting and attempt limits.

Fix for IDOR

  • Implement proper authorization checks for all resource requests.
  • Validate whether the logged-in user has permission to access the requested mnocode.
  • Avoid exposing direct object identifiers without access control.

8. Conclusion

This assessment revealed two significant security issues:

VulnerabilitySeverityOTP Validation BypassHighIDOR in Data ExportCritical

While the OTP issue weakened authentication security, the IDOR vulnerability posed a much greater risk, allowing attackers to access data belonging to other organizations.

These findings highlight the importance of:

  • Proper server-side validation
  • Strong authorization checks
  • Secure implementation of authentication mechanisms

Even small oversights in authentication and authorization logic can lead to serious security vulnerabilities.