Hello Members, In this article I’ll demonstrate you steps by steps OTP (one-time passwords)
Verification bypass through Modifying Request or Response.

Before starting first we understand OTP Verification.
Sometimes when you are going to register a new account,
Re-login and want to add the new number on the application,
Then it asks you to verify your phone number.
By using one-time verification (OTP) Method.
In which that application send a code on your mobile number by SMS, a
nd you have to enter it your mobile number on that Application to verify your account.

Modifying Request or Response Manipulation is straightforward:
an attacker first observes Request or Response behaviour of an application.
Once she understands application behaviour then attacker trying to manipulate
Response according to valid Response.

In this case, the Attacker first,
capture valid Request and send to the repeater to get a response.
Analyze the Response then attacker trying to manipulate Response according to valid Response.

☆ In this case, I want to add a number without verifying and entering valid OTP.
Above screenshoot,
you can see the number I entered now click on Save Phone Number.
Popup box will appear and ask for entering valid OTP.

☆ Here I entered wrong OTP 123456

☆ Now setup burpsuite and configure with the web browser.
Turn on the intercept and Now captured invalid OTP requests.
after request captured Right click and Do Intercept → Response to this request.

☆ When attacker clicks on Response to this request then she will get a response of particuar requests.
So an attacker can easily observe the behaviour of an application function.

☆ You observe that {“status” : ”failed”}

☆ It’s a clear indication we can bypass OTP verification.
Now change response failed to success {“status” : ”failed”} → {“status” : ”success”}

☆ Turn off the intercept button and look at the application,
OTP Verification has been bypassed.


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *