Bypass opt
In this article I’ll demonstrate you steps by steps OTP (one-time passwords) Verification bypass through Modifying Request or Response.
Before starting first we understand OTP Verification. Sometimes when you are going to register a new account, Re-login and want to add the new number on the application, Then it asks you to verify your phone number. By using one-time verification (OTP) Method. In which that application send a code on your mobile number by SMS, and you have to enter it your mobile number on that Application to verify your account.
Modifying Request or Response Manipulation is straightforward: an attacker first observes Request or Response behaviour of an application. Once she understands application behaviour then attacker trying to manipulate Response according to valid Response.
In this case, the Attacker first, capture valid Request and send to the repeater to get a response. Analyze the Response then attacker trying to manipulate Response according to valid Response.
I use valid a temporary number
Enter Your Number
In this case, I want to add a number without verifying and entering valid OTP. Above screenshoot, you can see the number I entered now click on Save Phone Number. Popup box will appear and ask for entering valid OTP.
Asking for valid OTP
Here I entered wrong OTO 123456
Entered wrong OTP
Now setup burpsuite and configure with the web browser. Turn on the intercept and Now captured invalid OTP requests. after request captured Right click and Do Intercept → Response to this request.
Invalid OTP captured requests
When attacker clicks on Response to this request then she will get a response of particuar requests. So an attacker can easily observe the behaviour of an application function.
You observe that {“status” : ”failed”}
Invalid OTP response
It’s a clear indication we can bypass OTP verification. Now change response failed to success {“status” : ”failed”} → {“status” : ”success”}
Change response failed to success
Turn off the intercept button and look at the application, OTP Verification has been bypassed.
OTP Verification bypassed
Thank you
