OTP bypasses
What is One-Time Password (OTP)?
An OTP or One-Time Password is a unique, randomly generated numeric or alphanumeric code that is used for authentication purposes. It is typically used as an additional security measure to verify the identity of a user when logging into an account or making a transaction. OTPs are designed to be used only once and become invalid after a certain period, usually within a few minutes.
What are OTP Bypasss?
Pentester and bug hunters while testing the Apps that required OTP, in some cases OTP needs a phone number in a specific country, SMS doesn't work fine or work fine but we need to bypass it
OTP Verification Bypass Via Response Manipulation
one of most techniques in this case is Response Manipulation I described it HERE
While Testing I had one account that didn't need OTP Verification for the number it was verified
Then decided to create a new account to test the OTP Function correctly
Now I have two account
Verified Account
Non-Verified Account
When trying to log in with a Verified Account it doesn't require an OTP because it's already verified
but Non-Verified Accounts need an OTP, But SMS wasn't working, While login with a verified account I noticed in the response body the parameters that indicate mobile number verification
Response for Verified Account
"hasRequest":true,
"mobileVerified":true,
"roles":[
],But When login with a Non-Verified Credentials Account the response doesn't include these parameters, So we need to Intercept the response and add these parameters in the JSON body of the response before redirecting to an OTP endpoint to bypass it and accessing an account without any verification
Request for Non-Verified Account
{
"username":"Kourama",
"Password":"P@$$w0rd"
}Response for Non-Verified Account
{
/*
Response
*/
"hasRequest":true,
"mobileVerified":true,
"roles":[
],
/*
Response
*/
}After Adding these parameters in the response I could access the account without any OTP Verification but I needed to bypass it every time log in to the account.
Last updated