OP 02 November, 2024 - 11:28 AM
This will demonstrates several methods to bypass OTP (One-Time Password) verification during account registration or login processes using BurpSuite. These techniques can potentially lead to unauthorized access to user accounts, resulting in account takeover. This guide is intended for educational purposes to help you understand common vulnerabilities and improve your skills in penetration testing.
Method 1: Response Manipulation During Registration
In BurpSuite, go to the "Proxy" tab and intercept the response to the OTP verification request.
The response will look like:
Change the response to:
In BurpSuite, edit the intercepted response directly in the "HTTP history" tab.
Forward the Response:
Forward the modified response by clicking on the "Forward" button.
Outcome:
You will be logged into the account.
Method 2: Response Manipulation During Login
Forward the Response:
Forward the modified response by clicking on the "Forward" button.
Outcome:
You will be logged into the account.
Method 3: Intercept and Modify Response Status
Forward the Response:
Forward the modified response by clicking on the "Forward" button.
Outcome:
If you are logged in, you have successfully bypassed authentication.
Method 4: Bypass OTP in Registration Forms Using Repeater
Method 5: No Rate Limiting
Outcome:
If you receive a 200 OK or 302 Found status code, you have bypassed the OTP.
Additional Test Cases for Bypassing OTP
Method 1: Response Manipulation During Registration
- Register an Account:
- Register an account with a mobile number and request an OTP.
- Capture the Request:
- Enter an incorrect OTP and capture the request in BurpSuite.
- Intercept the Response:
In BurpSuite, go to the "Proxy" tab and intercept the response to the OTP verification request.
The response will look like:
Code:
{"verificationStatus":false,"mobile":"9072346577","profileId":"84673832"}Change the response to:
Code:
{"verificationStatus":true,"mobile":"9072346577","profileId":"84673832"}In BurpSuite, edit the intercepted response directly in the "HTTP history" tab.
Forward the Response:
Forward the modified response by clicking on the "Forward" button.
Outcome:
You will be logged into the account.
Method 2: Response Manipulation During Login
- Go to the login page and request an OTP.
- Capture the Request:
- Enter an incorrect OTP and capture the request in BurpSuite.
- Intercept the Response:
- In BurpSuite, intercept the response to the OTP verification request.
- The response will indicate an error (e.g., incorrect OTP).
- Modify the Response:
- Change the response to indicate success (e.g., replace {"status":"error"} with {"status":"success"}).
Forward the Response:
Forward the modified response by clicking on the "Forward" button.
Outcome:
You will be logged into the account.
Method 3: Intercept and Modify Response Status
- Register two accounts with any two mobile numbers, entering the correct OTP initially.
- Capture the Request:
- Intercept your request in BurpSuite.
- Intercept the Response:
- Click on "Action" -> "Do intercept" -> "Intercept response to this request".
- Check the Response:
- Check the response message for a status, e.g., status:1.
- Repeat with Incorrect OTP:
- Follow the same procedure with the other account but enter an incorrect OTP this time.
- Capture and Modify:
- Intercept the response to the request and note the message status, e.g., status:0.
- Change the status to status:1.
Forward the Response:
Forward the modified response by clicking on the "Forward" button.
Outcome:
If you are logged in, you have successfully bypassed authentication.
Method 4: Bypass OTP in Registration Forms Using Repeater
- Create an account with a non-existent phone number.
- Intercept the Request:
- Intercept the request in BurpSuite.
- Use Repeater:
- Send the request to the repeater by right-clicking on the request and selecting "Send to Repeater".
- Modify the Phone Number:
- Go to the Repeater tab and change the non-existent phone number to your phone number.
- Use Received OTP:
Method 5: No Rate Limiting
- Create an account.
- Capture the Request:
- When the application asks for the OTP, enter an incorrect OTP and capture the request in BurpSuite.
- Use Repeater:
- Send this request to the Repeater by right-clicking on the request and selecting "Send to Repeater".
- Check for Rate Limiting:
- Set up a payload on the OTP value and repeat the request.
- If there is no rate limit, wait for a 200 OK or 302 Found status code.
Outcome:
If you receive a 200 OK or 302 Found status code, you have bypassed the OTP.
Additional Test Cases for Bypassing OTP
- Default OTPs:
- Test common default OTPs like 111111, 123456, 000000.
- Leaked OTP in Response:
- Capture the request in BurpSuite and check the response for any leaked OTP.
- Old OTP Validity:
- Check if an old OTP is still valid by attempting to reuse it.
Your LIKE will support the content ✨
![[Image: streaminghub.gif]](https://i.ibb.co/dbHk2sW/streaminghub.gif)
![[Image: iIncqyq.gif]](https://i.imgur.com/iIncqyq.gif)
![[Image: sig1.gif]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fredirectnow.cloud%2Fsig1.gif)
