🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Introduction
  • OTP Bypass via Response Manipulation
  • Method 1: Manipulating OTP Verification Response
  • Method 2: Changing Error Response to Success
  • Method 3: OTP Verification Across Multiple Accounts
  • OTP Bypass Using Form Resubmission in Repeater
  • Bypassing OTP with No Rate Limiting
  • Steps:
  • Additional OTP Bypass Test Cases
  • 1. Default OTP Values
  • 2. OTP Leakage in Server Response
  • 3. Checking if Old OTP is Still Valid
  • Rate Limiting Attack on OTP Verification
  • Steps:
  • Contributors
  1. Authentication Bypass

OTP Bypass

Introduction

One-Time Passwords (OTP) are commonly used for authentication and verification in account registration, login, and critical actions. However, poor OTP implementations can lead to authentication bypass, account takeover, and unauthorized access.

This document outlines various OTP bypass techniques, including response manipulation, rate limit exploitation, default OTP usage, and session validation flaws.

OTP Bypass via Response Manipulation

Method 1: Manipulating OTP Verification Response

Steps:

  1. Register an account with a mobile number and request an OTP.

  2. Enter an incorrect OTP and capture the request using Burp Suite.

  3. Intercept and modify the server's response:

    • Original response:

      {"verificationStatus":false,"mobile":9072346577,"profileId":"84673832"}

    • Change to:

      {"verificationStatus":true,"mobile":9072346577,"profileId":"84673832"}

  4. Forward the manipulated response.

  5. The system authenticates the account despite the incorrect OTP.

Impact:

  • Full account takeover without providing a valid OTP.

Method 2: Changing Error Response to Success

Steps:

  1. Go to the login page and enter your phone number.

  2. When prompted for an OTP, enter an incorrect OTP.

  3. Capture the server response:

    { "error": "Invalid OTP" }

  4. Modify it to:

    { "success": "true" }

  5. Forward the response.

  6. If the server accepts this modification, you gain access without entering a valid OTP.

Impact:

  • Authentication bypass leading to account takeover.

Method 3: OTP Verification Across Multiple Accounts

Steps:

  1. Register two different accounts with separate phone numbers.

  2. Enter the correct OTP for one account and intercept the request.

  3. Capture the server response and note status:1 (success).

  4. Now, attempt to verify the second account with an incorrect OTP.

  5. Intercept the server response where the status is status:0 (failure).

  6. Change status:0 to status:1 and forward the response.

  7. If successful, you bypass OTP authentication.

Impact:

  • Bypassing OTP verification for multiple accounts.

OTP Bypass Using Form Resubmission in Repeater

Steps:

  1. Register an account using a non-existent phone number.

  2. Intercept the OTP request in Burp Suite.

  3. Send the request to Repeater and forward it.

  4. Modify the phone number in the request to your real number.

  5. If the system sends the OTP to your real number, use it to register under the fake number.

Impact:

  • Unauthorized account registration using someone else's OTP.

Bypassing OTP with No Rate Limiting

Steps:

  1. Create an account and request an OTP.

  2. Enter an incorrect OTP and capture the request in Burp Suite.

  3. Send the request to Burp Intruder and set a payload on the OTP field.

  4. Set payload type as numbers (000000 to 999999).

  5. Start the attack.

  6. If no rate limit is enforced, the correct OTP will eventually match.

Impact:

  • Complete OTP bypass through brute force.

Additional OTP Bypass Test Cases

1. Default OTP Values

  • Some applications use default OTP values such as:

    111111, 123456, 000000

  • Test common default values to check for misconfigurations.

2. OTP Leakage in Server Response

  • Some applications leak OTPs in API responses.

  • Intercept OTP request responses and check if OTP is present.

3. Checking if Old OTP is Still Valid

  • Some systems allow the reuse of old OTPs.

  • Test if previously used OTPs are still accepted.

Rate Limiting Attack on OTP Verification

Steps:

  1. Navigate to the OTP verification endpoint:

    https://abc.target.com/verify/phoneno

  2. Enter an invalid OTP (e.g., 000000).

  3. Intercept the request and send it to Intruder.

  4. Set the OTP field as the payload position.

  5. Use payload type: numbers and define a range (000000 - 999999).

  6. Start the attack.

  7. Identify a response length change, which may indicate the correct OTP.

Impact:

  • Brute-force attack leading to OTP bypass and account takeover.

Contributors

  • @akshaykerkar13

  • @Yn0tWhy

  • @Virdoex_hunter

  • @febinrev

  • @fani_malik

  • @v3daxt

  • @prakhar0x01

Enhanced and reformatted for HowToHunt repository by remonsec

Previous2FA BypassesNextAccount Ban Bypass

Last updated 13 days ago