Hello Greeting All,
Today we will Discuss One interesting Topic OTP (One time password) Bypass ! How hackers able to Bypass OTP Schema On Web Or Mobile based application. As You know A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates the user for a single transaction or login session.
OTP are used For extra security layer To secure User authentication but in some case in some vulnerable website We can easily Bypass OTP two factor authentication verification schema On web or application based platform .
There are few techniques that we can bypass OTP Schema
→ Response mnipulate
→ Bruteforce
→ Sms forwarding
→ Broken authentication we can use any random value
Here, We will discuss about How attacker able to bypass OTP Schema by response manipulate technique . If You don’t know What is response manipulate is a technique attacker try to analyze Request using some proxy tool attacker can change value of Response without entering correct OTP.
Steps Of Testing:
1. Here We have a vulnerable Application which allow us to Bypass OTP Schema That consist broken authentication schema.
As when We login Or Sign up as authenticate some application ask for OTP Confirmation,
2. Here For checking Is application is vulnerable for OTP Bypass we will use some random OTP 0000 Value
Now, here we have to do before Click Verifiy Open Some proxy tool to intercept Request here we will use Burp which help us to intercept request and We can change Response .
3.click verify Confirmation OTP with Random Value and Intercept Request using Burp
Now, As Response :
Now, The main point is come here Now we we bypass this 400 bad request by Response manipulate here simply We need to make change On response section ,
Now , Forward this Response and as result we have successfully bypass authentication schema due to broken authentication schema.
As Today we discussed How Hacker Able to bypass OTP schema Using Response manipulate Techniques . This Blog only For Educational Purpose.
Stick with our Blog series to learn more.
For more interesting topics please visit www.securiumsolutions.com/blog
Author: Pallab Jyoti Borah , IT Security Analyst
ThankYou
Enroll here for training and certification at a discounted price: Click Here
Referred By
Securium Solutions