One-Time Passwords (OTP) are commonly used for authentication and verification in account registration, login, and critical actions. However, poor OTP implementations can lead to authentication bypass, account takeover, and unauthorized access.
This document outlines various OTP bypass techniques, including response manipulation, rate limit exploitation, default OTP usage, and session validation flaws.
- Register an account with a mobile number and request an OTP.
- Enter an incorrect OTP and capture the request using Burp Suite.
- Intercept and modify the server's response:
- Original response:
{"verificationStatus":false,"mobile":9072346577,"profileId":"84673832"} - Change to:
{"verificationStatus":true,"mobile":9072346577,"profileId":"84673832"}
- Original response:
- Forward the manipulated response.
- The system authenticates the account despite the incorrect OTP.
Impact:
- Full account takeover without providing a valid OTP.
- Go to the login page and enter your phone number.
- When prompted for an OTP, enter an incorrect OTP.
- Capture the server response:
{ "error": "Invalid OTP" } - Modify it to:
{ "success": "true" } - Forward the response.
- If the server accepts this modification, you gain access without entering a valid OTP.
Impact:
- Authentication bypass leading to account takeover.
- Register two different accounts with separate phone numbers.
- Enter the correct OTP for one account and intercept the request.
- Capture the server response and note status:1 (success).
- Now, attempt to verify the second account with an incorrect OTP.
- Intercept the server response where the status is status:0 (failure).
- Change status:0 to status:1 and forward the response.
- If successful, you bypass OTP authentication.
Impact:
- Bypassing OTP verification for multiple accounts.
- Register an account using a non-existent phone number.
- Intercept the OTP request in Burp Suite.
- Send the request to Repeater and forward it.
- Modify the phone number in the request to your real number.
- If the system sends the OTP to your real number, use it to register under the fake number.
Impact:
- Unauthorized account registration using someone else's OTP.
- Create an account and request an OTP.
- Enter an incorrect OTP and capture the request in Burp Suite.
- Send the request to Burp Intruder and set a payload on the OTP field.
- Set payload type as numbers (
000000to999999). - Start the attack.
- If no rate limit is enforced, the correct OTP will eventually match.
Impact:
- Complete OTP bypass through brute force.
- Some applications use default OTP values such as:
111111, 123456, 000000 - Test common default values to check for misconfigurations.
- Some applications leak OTPs in API responses.
- Intercept OTP request responses and check if OTP is present.
- Some systems allow the reuse of old OTPs.
- Test if previously used OTPs are still accepted.
- Navigate to the OTP verification endpoint:
https://abc.target.com/verify/phoneno - Enter an invalid OTP (e.g.,
000000). - Intercept the request and send it to Intruder.
- Set the OTP field as the payload position.
- Use payload type: numbers and define a range (000000 - 999999).
- Start the attack.
- Identify a response length change, which may indicate the correct OTP.
Impact:
- Brute-force attack leading to OTP bypass and account takeover.
Enhanced and reformatted for HowToHunt repository by remonsec