How finding origin IP got me an ATO

Muhammed K. Sayed
2 min readAug 3, 2023

السلام عليكم ورحمة الله وبركاته

Hi Brothers, i hope you’re fine insha’allah, our bug today demonstrates how hacking an origin IP differs from the main domain which may have a firewall like CloudFlare

First of all, we will call out target

our, have a login page that needs only your email, and it will send an OTP to your email, you gotta be thinking rn, he should try bypassing the rate limit, i already have done that BUT, you when you enter a wrong code you get

“user_message”: “Incorrect code 9 attempts remaining.”


then it becomes 8 and so on, it was kinda not vulnerable, i was collaborating with my homie Omar Ahmed, he sent me one of their origin IPs he has found during shodan dorking phase, we attempted without an expectation of not getting blocked there, but when we tried, it gave us that message “user_message”: “Incorrect code 9 attempts remaining.” every time without decreasing the amount of the attempts remaining

And by that we could have hacked any account in less than 10 mins using turbo intruder:)

Lessons i’ve learned in this experience

when we were collecting the biggest amount of origin IPs, we checked SSL Details from

Certificate details

what really got my attention is that serial number, i said to myself can i dork in shodan with just the SERIAL NUMBER? i gave it a shot and found that i can do this using the following dork

ssl.cert.serial: xxxxxxxxxxxxxxxxxxxx

and guess what i got like more than 22 working IP :)

But unfortunately, the corp we were hacking on gave us the least amount of bounty they could have pay:) saying that the complexity of the attack is high and some non realistic things to avoid paying at least the highest amount of high severity

this field has it’s dark side as the bright side:), i hope you have enjoyed reading this one!
see you in my other 0-Click ATO write-up

my twitter account

my GitHub account https:/