📕
Blog
  • 🐞Vulnerabilities & Techniques
    • Web Vulnerabilities
      • Open Redirect
      • HTTP Parameter Pollution (HPP)
      • Host Header Injection (HHI)
      • XSS
      • HTML-Injection
      • clickjacking
      • S3
      • EXternal Xml Entity (XXE)
      • XSS prevention | CSP
      • DOM-XSS
      • SQL Injection | SQLI
      • Response Manipulation Technique & How Burp Suite Works
    • API Vulnerabilities
      • Mass Assignment Vulnerability
  • 🚩CTF
    • ASCWG
  • ✍️Writeups
    • Read Writeups
      • REST API WriteUps
      • Web Vulnerabilities WriteUps
    • Technical Writeups
      • Reset Password Poisoning Via Host Header Injection Lead to (ATO)
      • OTP/2FA Bypasses
        • OTP bypasses
  • 😈TryHackMe
    • THM Advent of Cyber 3 (2021) NoSQL WriteUp
  • 🔱Web-CyberTalents
    • CyberTalents-Web-Easy
    • CyberTalents-Web-Medium
    • CyberTalents-Web-Hard
  • 🖇️Pentesting & Bug Hunting Tips
    • ATO Via Host Header Injection
    • OTP Bypass
    • OutLook Plugin Pentest Guide
  • 💻Port-Swigger Labs
    • XML external entity (XXE) injection
    • DOM-XSS
      • DOM XSS in the document.write sink using source location.search
      • Lab: DOM XSS in document.write sink using source location.search inside a select element
      • Lab: DOM XSS in innerHTML sink using source location.search
      • Lab: DOM XSS in jQuery anchor href attribute sink using location.search source
      • Lab: Reflected DOM XSS
      • Lab: Stored DOM XSS
    • SQL injection
      • Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Lab: SQL injection vulnerability allowing login bypass
      • Lab: SQL injection UNION attack, determining the number of columns returned by the query
      • Lab: SQL injection UNION attack, finding a column containing text
      • Lab: SQL injection UNION attack, retrieving data from other tables
      • Lab: SQL injection UNION attack, retrieving multiple values in a single column
      • Lab: SQL injection attack, querying the database type and version on Oracle
      • Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
      • Lab: SQL injection attack, listing the database contents on non-Oracle databases
  • 🛜Wireless Networks Penetration Testing
  • ⚔️Wi-Fi Attacks
    • 🕸️Network Scanning attack
    • 🌊DOS / Flooding
      • 1️⃣DoS - Frame Flooding (Deauth, EAPOL, Beacons)
      • 2️⃣DoS- Exploiting Countermeasures (MIC failure)
    • Jamming Attacks (هجمات التشويش)
    • Probe Requests Attack
    • Handshake Attacks
      • Dictionary Attack
      • Clientless Attack
      • KRACK Attack
      • Downgrad Attack
    • Rouge AP Attack
  • Lab Notes
  • RFID and NFC
  • Bluetooth
  • ZigBee
  • Google Map Test
Powered by GitBook
  1. Writeups
  2. Technical Writeups
  3. OTP/2FA Bypasses

OTP bypasses

PreviousOTP/2FA BypassesNextTryHackMe

Last updated 1 year ago

What is One-Time Password (OTP)?

An OTP or One-Time Password is a unique, randomly generated numeric or alphanumeric code that is used for authentication purposes. It is typically used as an additional security measure to verify the identity of a user when logging into an account or making a transaction. OTPs are designed to be used only once and become invalid after a certain period, usually within a few minutes.

What are OTP Bypasss?

Pentester and bug hunters while testing the Apps that required OTP, in some cases OTP needs a phone number in a specific country, SMS doesn't work fine or work fine but we need to bypass it

OTP Verification Bypass Via Response Manipulation

While Testing I had one account that didn't need OTP Verification for the number it was verified

Then decided to create a new account to test the OTP Function correctly

Now I have two account

  1. Verified Account

  2. Non-Verified Account

When trying to log in with a Verified Account it doesn't require an OTP because it's already verified

but Non-Verified Accounts need an OTP, But SMS wasn't working, While login with a verified account I noticed in the response body the parameters that indicate mobile number verification

Response for Verified Account

"hasRequest":true,
"mobileVerified":true,
"roles":[
],

But When login with a Non-Verified Credentials Account the response doesn't include these parameters, So we need to Intercept the response and add these parameters in the JSON body of the response before redirecting to an OTP endpoint to bypass it and accessing an account without any verification

Request for Non-Verified Account

{
    "username":"Kourama",
    "Password":"P@$$w0rd"
}

Response for Non-Verified Account

{
    /*
    Response
    */
    "hasRequest":true,
    "mobileVerified":true,
    "roles":[
    ],
    /*
    Response 
    */
}

After Adding these parameters in the response I could access the account without any OTP Verification but I needed to bypass it every time log in to the account.

one of most techniques in this case is Response Manipulation I described it

✍️
HERE
OTP