[Tutorial] HOW TO BYPASS OTP VERIFICATION

[Tutorial] HOW TO BYPASS OTP VERIFICATION

SHUBOY

Ok LET's START...!

Hello HACKERS , I AM @Shuboy_18 here to demonstrate you step by step OTP (one-time passwords)Verification bypass through Modifying Request or Response.

Before starting first we will understand OTP Verification.

Sometimes when you are going to register a new account , Re-login and want to add the new number on the application , Then it asks you to verify your phone number.

By using one-time verification (OTP) Method.

In which that application send a code on your mobile number by SMS, and you have to enter it your mobile number on that Application to verify your account.

Modifying Request or Response Manipulation is straight-forward an attacker first observes Request or Response behaviour of an application.

Once he understands application behaviour then attacker can easily try to manipulate Response according to valid Response.

In this case, the Attacker first,capture valid Request and send to the repeater to get a response.

Analyze the Response then attacker trying to manipulate Response according to valid Response.

@techyhacky
@techyhacky

In this case, I want to add a number without verifying and entering valid OTP.

Above screenshot ,you can see the number I entered now click on Save Phone Number Popup box will appear and ask for entering valid OTP.

@techyhacky

 Here I entered wrong OTO 11111

@techyhacky

Now setup burpsuite and configure with the web browser.

Turn on the intercepter and Now capture invalid OTP requests after request captured Right click and Do Intercept → Response to this request.

@techyhacky

When attacker clicks on Response to this request then she will get a response of particuar requests.

So an attacker can easily observe the behaviour of an application function.

You observe that {“status” : ”failed”}


@techyhacky


It’s a clear indication we can bypass OTP verification.Now change response failed to success {“status” : ”failed”} → {“status” : ”success”}


@techyhacky

Turn off the intercept button and look at the application,

OTP Verification has been bypassed

Join Our Telegram Channel👇


@techyhacky

@learnhackinn


Any doubts / suggestions DM @Shuboy_18.🖤

I am here to help u.!

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org