Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



   972

Question about BURP SUITE, capturing OTP

by GabrielAce - 05 June, 2024 - 12:57 PM
This post is by a banned member (GabrielAce) - Unhide
49
Posts
3
Threads
1 Year of service
#1
Hey guys, so I'm trying to see if there's a possibility to bypass OTP using BURP suite, by using the endpoint link of the OTP and intercepting the HTTP request and try to modify it. 

Thing is I've come to the conclusion that it's not doable because the site gives every user a unique session ID or something of the like. 
Would this make it impossible to bypass using BURP suite? 

It's an SMS based OTP, 6 figures. 

I know one can try to bruteforce the OTP but site has a ratelimit and it would take quite some time to get a six figure combination as the OTP window is probably active for like 3-5 minutes.
This post is by a banned member (Taburu) - Unhide
This post is by a banned member (sushichan) - Unhide
sushichan  
Registered
88
Posts
4
Threads
#3
(This post was last modified: 16 June, 2024 - 05:47 AM by sushichan.)
there is a better solution, a MITM attack, phishing the user by proxying the real website thru your phishing site, capturing sessions / localstorage, credentials, MFA / OTP and whatever else you would like, this will give you full control of their account, obviously as long as your phishing campaign is credible enough and you've put some effort and detail into it.

(16 June, 2024 - 05:44 AM)sushichan Wrote: Show More
there is a better solution, a MITM attack, phishing the user by proxying the real website thru your phishing site, capturing sessions / localstorage, credentials, MFA / OTP and whatever else you would like, this will give you full control of their account, obviously as long as your phishing campaign is credible enough and you've put some effort and detail into it.

another way would be to conduct a similar form of social engineering by using OTP bots or by simply calling / emailing / sms-ing the target yourself, that is if you already happen to have the necessary; such as their credentials and other information that you might need. [Image: pepeokay.png]

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 2 Guest(s)