How I Achieved a “Critical Hit” on a Bug Bounty Platform: Bypassing OTP via Response Manipulation

How I Achieved a "Critical Hit" on a Bug Bounty Platform: Bypassing OTP via Response Manipulation | by Evangeliux - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How I Achieved a "Critical Hit" on a Bug Bounty Platform: Bypassing OTP via Response Manipulation Introduction Evangeliux Follow ~2 min read · April 1, 2026 (Updated: April 1, 2026) · Free: Yes Introduction In the world of bug bounty, we often hear the golden rule: "Never trust the client." However, even large platforms sometimes overlook this. In this post, I will break down how I discovered a critical authentication bypass on a major European retail platform by simply "lying" to the browser using Burp Suite. The Discovery Phase While testing the registration flow of the target (let's call it redacted.com ), I noticed that after entering an email, the system sends a 6-digit OTP code to verify ownership. I entered a random code like 123456 and intercepted the server's response. Original Error Response: Status: 400 Bad Request Body: { "httpStatus": 400, "status": "VerifySignUpInvalidToken", "attemptsLeft": 2, "emailHash": "a1b2c3d4..." } The Exploitation (The "Magic" Trick) The vulnerability was a classic Insecure Client-Side Trust . The frontend was looking for a specific success status in the JSON response to let the user proceed. Using Burp Suite's "Intercept Response" feature, I modified the failed state into a successful one. Manipulated Response: Status: 200 OK Body: { "httpStatus": 200, "status": "VerifySignUpValidToken" } Note: I carefully kept the emailHash to maintain the session reference but removed the attemptsLeft field to clean up the response. Result: The frontend was instantly deceived. The "Invalid Code" error disappeared, and I was immediately redirected to the "Set Password" page. I set a new password, and the account was successfully created. It remained persistent and fully functional even after several refreshes. The Outcome The impact was rated as Critical (CVSS 9.1) because it allowed for full identity claiming on the platform. Even though the target company eventually marked the specific scenario as "Accepted Risk" due to their internal cleanup policies, the technical severity was undeniable. If you enjoyed this write-up, feel free to follow me for more bug bounty journeys! #bug-bounty #web-security #infosec #bypass #cybersecurity Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).