BYPASS OTP VERIFICATION HQ BE FAST

  • Leechers leech but please contribute to community we need your support:)

Ruchika oberoi

Administrator
Staff member
Mar 27, 2022
4,040
203
63
LET's START


☆ Hello Members, In this article I’ll demonstrate you steps by steps OTP (one-time passwords)
Verification bypass through Modifying Request or Response.
Before starting first we understand OTP Verification.
Sometimes when you are going to register a new account,
Re-login and want to add the new number on the application,
Then it asks you to verify your phone number.
By using one-time verification (OTP) Method.
In which that application send a code on your mobile number by SMS, a
nd you have to enter it your mobile number on that Application to verify your account.
Modifying Request or Response Manipulation is straightforward:
an attacker first observes Request or Response behaviour of an application.
Once she understands application behaviour then attacker trying to manipulate
Response according to valid Response.
In this case, the Attacker first,
capture valid Request and send to the repeater to get a response.
Analyze the Response then attacker trying to manipulate Response according to valid Response.

You must be registered for see images


You must be registered for see images


☆ In this case, I want to add a number without verifying and entering valid OTP.
Above screenshoot,
you can see the number I entered now click on Save Phone Number.
Popup box will appear and ask for entering valid OTP.

You must be registered for see images


☆ Here I entered wrong OTO 123456

You must be registered for see images


☆ Now setup burpsuite and configure with the web browser.
Turn on the intercept and Now captured invalid OTP requests.
after request captured Right click and Do Intercept → Response to this request.

You must be registered for see images


☆ When attacker clicks on Response to this request then she will get a response of particuar requests.
So an attacker can easily observe the behaviour of an application function.

☆ You observe that {“status” : ”failed”}

You must be registered for see images


☆ It’s a clear indication we can bypass OTP verification.
Now change response failed to success {“status” : ”failed”} → {“status” : ”success”}

You must be registered for see images

☆ Turn off the intercept button and look at the application,
OTP Verification has been bypassed.



☆ Enjoy ~ I LOVE YOU ALL GUYS WHO'll LIKE MY POSTS ~