search

OTP Authentication Bypass

hashtag
improper authentication CWE 287

hashtag
Tast Case 1

Always try response manipulation on OTP authentication, ( 404 > 200 OK ) or ( false > true ) POC Steps: Enter Random Mobile Number Enter Random Otp Number then Send Requrest Capture the Responce to Vertify_OTP POST Request try response manipulation {"d" : false} to {"d" : true} OR {"status": "fail"} to {"status": "success"} and Forward the Request then u can see Bypass yhe OTP

hashtag
Tast Case 2

MFA Code Leakage In Response POC Steps: enter Random Number then Sen Requrest Capture the Responce to Send_Varification_code POST Request Copy MFA Code Leakage In Response {"code" : "814690" , "resp" : "1"} Then enter this Varification Code: 814690

hashtag
Tast Case 3

OTP authentication Bypass via response manipulation POC Steps: Enter Random Mobile Number Enter Random Otp Number then Send Requrest Capture the Responce to Vertify_OTP POST Request Change wrong otp response data to Valid otp response data and Forward the Request then u can see Bypass yhe OTP

hashtag
Tast Case 4

OTP authentication Bypass via Bruteforce POC Steps:

1.enter the phone number of user

2.send the a sample otp ‘0000’ and capture request

3.go to intruder and start brute force attack (use turbo intruder until valid otp is found)

4.copy the otp and put in the the form and send Tast Case 5

  1. Login with email and password.

  2. At the OTP screen (example.com/customer/verify-otp) , open DevTools -> Application -> Local storage -> Cookies.

  3. Modify isVerifyAuth to true.

  4. Change the url to (example.com/customer/profile) .

  5. Done — you’re authenticated.

That’s it. No OTP, no backend check.

Tast Case 6

Attacker Phase:

  1. Visit: https://www.example.comarrow-up-right

  2. Login using a valid email and password.

  3. When prompted for the OTP: (check your email/SMS or console to retrieve the real code)

  4. Submit the correct OTP.

  5. Intercept the response from /api/proxy-service/otp/verify in Burp Suite.

  6. Save the successful OTP response, which looks like:

7. Login using a Victim’s email and password.

8. When prompted for the OTP: (Put any values (e.g : 111111))

9. Intercept the response from /api/proxy-service/otp/verify.

10. Modify the JSON with the Successful OTP response:

11. Forward the modified response to the client.

Boom 💥 — you’re in.

No OTP, no hassle.

hashtag
Tast Case 7

  1. Open https://redacted.com/app/login,

  2. I enter email and password and click login. Redirected to 2FA code page, didn't enter code.

  3. I tried to browse in-app endpoint, https://redacted.com/app/Locations and it browsed.

  4. Able to access other endpoints also, without the 2FA verification code.

PreviousEmail Verification bypassNextLimit (Race Condition) Bypass

Last updated