Bypass OTP validation and Phone Number authentication
Hello Members, In this article I’ll demonstrate you steps by steps OTP (one time passwords) bypass. Before starting first understand what is rate limit attacks.
A brute-force attack is an attempt to log in to an account by trying many passwords & fuzzing combinations rapidly in order to compromise application security called rate limit attack.
When you log in through a number then this application sends OTP (one-time passwords) to the number.
When an attacker entered invalid OTP than the application generates an error msg OTP Does not match!
Now setup burpsuite and configure with the web browser. Turn on intercept and Now captured invalid OTP requests. after request captured Right click and send to intruder.
Now select OTP Payload Position
After selecting payload position select payload type as brute forcer and also a select range of OTP. In my case, OTP length is four digits and click on start attacks.
If the application is vulnerable to Rate limit then within 10 to 15 minute we will get OTP. Invalid OTP length is 700 and valid OTP length is 1504
Now select valid OTP and move your mouse to response of valid OTP and right click select Show response in browser. Response is copied to your clipboard and paste it into the browser. all the session token copied to the browser.
Now refresh your login page again you can see we login into the application.
If you like our articles, please subscribe :)
Levelup0x Bug Hunting Training: https://lnkd.in/f53FTvA
WhatsApp Channel: https://lnkd.in/fyvFyx8
Join Our Telegram Channel: https://t.me/thehacktivists
Duration: 45 Days+ Training | #Fee : 5000 inr | 75 usd
To know more : #Call / #WhatsApp : +91 96809 81337
Download All The Hacktivists™ InfoSec Training Modules