Account Takeover By OTP Bypass

Cysky0x1
2 min readOct 2, 2023

“اللهم صلًّ وسلم على نبينا محمد”

Hello Hunters!

My name is Abdelhy khaled, I am Security Researcher , It’s been a while since my last write up, so i decide to share a fun experience that i had while hunting on a private program.

What is OTP?

OTP stands for one-time password web application insert this function where important information is deleted or changed.

Let’s start
So As usual, I was looking for an account takeover. I created account and click on forget the password, after that, I checked my mail there I got the 4-digit OTP code

that time 2 methodology running in my mind mainly.

1. Response manipulation

2. OTP bypass by no rate limit

Then I decided to brute force the OTP because it was 4 Digit code we can do it in a short time, so I requested for new OTP without seeing OTP I entered one random OTP and Captured the request in burp and I sent it to the intruder, there I added the number payload 0000 to 8888 and started the attack.

You can see the status code 201 here I bypassed the OTP successfully. Using this bug I can hack any user without user interaction.

Let me give the exact step which I write in the report.
steps to reproduce
1. Go to https://www.xyz.com.
2. Go for the password reset option.
3. Enter the victim’s mail id.
4. Enter a random 4-digit OTP.
5. Capture the request in burp and send it to an intruder.
6. Create the payload of 4 digit number and start the attack.
7. You can see the changes in the length and status code 200 OK.
8. Enter the correct OTP and change the password of the victim’s account.

Thank you for taking the time to read this piece. Kindly remember to leave a comment sharing your thoughts on the blog if you liked them.

Feed | LinkedIn — My LinkedIn Profile

--

--