اللهم صل وسلم وبارك على نبينا محمد 🔻اللهم انصر إخواننا المستضعفين في كل مكان
Hi, I'm Kareem, a security researcher. Today, I will talk about my first valid bug I discovered in an external program.
During a security assessment exercise, I analyzed an OTP (One-Time Password) verification flow and identified a logical weakness in how the verification result is handled on the client side. This writeup explains the issue from a technical perspective for educational purposes.
In many applications, OTP verification is used to confirm user identity during registration or authentication. In this case, the application relied on a JSON response to determine whether the OTP was valid.
During the verification process, the application sends a request to a backend endpoint and receives a response in the following format:
{
"success": false,
"message": "Invalid verification code."
}The client-side application uses this response to decide whether the verification step is successful.
Reproduction Steps
- Initiate a registration process using any email address.
- Proceed to the OTP verification step.
- Enter an arbitrary OTP value (e.g.,
111111). - Intercept the request/response using a proxy tool (e.g., Burp Suite).
- Observe the server response indicating failure.
- Modify the response as follows:
{
"success": true,
"message": "Invalid verification code."
}- Forward the modified response to the application.
- The client proceeds as if the OTP verification was successful.
The issue arises because the application relies on client-side interpretation of the verification result instead of enforcing strict validation on the server side.
Security-sensitive decisions, such as authentication and verification, must always be enforced on the server side. Any reliance on client-side data introduces the risk of manipulation.
This example highlights how trusting client-controlled data can introduce logical flaws in authentication mechanisms. Proper validation design is essential to ensure secure workflows.
