Question about BURP SUITE, capturing OTP

[49]

Hey guys, so I'm trying to see if there's a possibility to bypass OTP using BURP suite, by using the endpoint link of the OTP and intercepting the HTTP request and try to modify it. 

Thing is I've come to the conclusion that it's not doable because the site gives every user a unique session ID or something of the like. 
Would this make it impossible to bypass using BURP suite? 

It's an SMS based OTP, 6 figures. 

I know one can try to bruteforce the OTP but site has a ratelimit and it would take quite some time to get a six figure combination as the OTP window is probably active for like 3-5 minutes.

[44]

Well, it is difficult to bypass with ur current endpoint. Try with different ones and change the User Agents, those play a good role

[88]

there is a better solution, a MITM attack, phishing the user by proxying the real website thru your phishing site, capturing sessions / localstorage, credentials, MFA / OTP and whatever else you would like, this will give you full control of their account, obviously as long as your phishing campaign is credible enough and you've put some effort and detail into it.

---

there is a better solution, a MITM attack, phishing the user by proxying the real website thru your phishing site, capturing sessions / localstorage, credentials, MFA / OTP and whatever else you would like, this will give you full control of their account, obviously as long as your phishing campaign is credible enough and you've put some effort and detail into it.

another way would be to conduct a similar form of social engineering by using OTP bots or by simply calling / emailing / sms-ing the target yourself, that is if you already happen to have the necessary; such as their credentials and other information that you might need.