OTP Bypass
OTP Bypass on Register account via Response manipulation
1. First Method
Register account with mobile number and request for OTP.
Enter incorrect OTP and capture the request in Burpsuite.
Do intercept response to this request and forward the request.
response will be
{"verificationStatus":false,"mobile":9072346577","profileId":"84673832"}
Change this response to
{"verificationStatus":true,"mobile":9072346577","profileId":"84673832"}
And forward the response.
You will be logged in to the account.
Impact: Account Takeover
2. Second Method.
Go to login and wait for OTP pop up.
Enter incorrect OTP and capture the request in Burpsuite.
Do intercept response to this request and forward the request.
response will be
error
Change this response to
success
And forward the response.
You will be logged in to the account.
Impact: Account Takeover
3. Third Method:
Bypassing OTP in registration forms by repeating the form submission multiple times using repeater
Steps :
No Rate Limit
Steps:-
More test cases for bypassing OTP-
Contributors:
Last updated