OTP is an automated generated numeric or alphanumeric string of characters that is used for authenticity of the user for transaction or login session such as smart-ID uses one-time passwords to verify your contact information during registration and account renewal.
Many web applications use otp functionalities to make sure the authenticity of users. You may normally find this functionality at sign up and password change. But this can be vulnerable as the attacker can bypass this and the user’s account may get compromise. Below are some of the methods by which you can bypass an otp and which may also help you earn good bounties.
1. Brute Force Attack
This is one of the most common methods to bypass one time password, in which the attacker can use number of random pin of same length and try it one by one. So how to test it:
(i) First enter any random otp such as 0000
(ii) Intercept the request in burp suite and send it to intruder.
(iii) Set the position at the otp parameter. In the payload section select the payload type as numbers and set the range for the otp and make sure to uncheck url encoding. In the options tab set throttle to 3000. To know that the otp which is being brute forced is the right one go to grep match and in that enter invalid otp. This can help you to identify the right otp.
(iv) Click on start attack and note the length of the request. If the length of any request is different from other requests then you have successfully bypassed the otp.
2. OTP Getting Leaked In Response
To test this enter any random otp and intercept the request and the response of that request through burp proxy and notice that otp is getting leaked in the response.
3. OTP Bypass Through Response Manipulation
To test this method enter any random otp and intercept the request and the response of that request and you will see the response as an error or false. Change that into success or true and then forward the request, if it is being processed then you have successfully bypassed the otp verification.
4. OTP Bypass By Entering Alphabets Instead of Numbers
This method works in some web applications as it does not validate weather otp entered is a number or an alphabet. To test this enter any random otp in the field and intercept the request in burp suite and change the value of otp from number to an alphabet such as from 0000 to OTPBYPASS and see if it being processed or not.
5. OTP Bypass Through Inspect Element
(i) To test this head over to the page which asks for an otp, in that page right click on the continue button or any other button which when clicked will process the request for otp.
(ii) Go to inspect element. Under inspect element check for any function which validates the otp. One such function is checkOTP(event).
(iii) Type that event in the console. When we click on the arrow it will open a file in the debugger where you will see the otp sent to your mobile number.