Bypass OTP validation and Phone Number authentication

Hello Members, In this article I’ll demonstrate you steps by steps OTP (one time passwords) bypass. Before starting first understand what is rate limit attacks.

A brute-force attack is an attempt to log in to an account by trying many passwords & fuzzing combinations rapidly in order to compromise application security called rate limit attack.

Login Area

When you log in through a number then this application sends OTP (one-time passwords) to the number.

OTP Sent to number

When an attacker entered invalid OTP than the application generates an error msg OTP Does not match!

Now setup burpsuite and configure with the web browser. Turn on intercept and Now captured invalid OTP requests. after request captured Right click and send to intruder.

Captured Invalid OTP Requests

Now select OTP Payload Position

Now select OTP Payload Position

After selecting payload position select payload type as brute forcer and also a select range of OTP. In my case, OTP length is four digits and click on start attacks.

If the application is vulnerable to Rate limit then within 10 to 15 minute we will get OTP. Invalid OTP length is 700 and valid OTP length is 1504

Now select valid OTP and move your mouse to response of valid OTP and right click select Show response in browser. Response is copied to your clipboard and paste it into the browser. all the session token copied to the browser.

Now refresh your login page again you can see we login into the application.

If you like our articles, please subscribe :)

Levelup0x Bug Hunting Training:

WhatsApp Channel:

Join Our Telegram Channel:

Duration: 45 Days+ Training | #Fee : 5000 inr | 75 usd

To know more : #Call / #WhatsApp : +91 96809 81337

Download All The Hacktivists™ InfoSec Training Modules!Ah6mcJeP80hdgRcEE-HkUl45GL7_™_Training_Program