A bugbounty threads about OTP related hunting
I test these whenever I encounter with OTP related functionalities like email or phone confirmation, password reset, login with OTPs etc.
#bugbounty #bugbountytips #bugbountytip #hacking #cybersecurity #infosec #bughunting
1/n
I test these whenever I encounter with OTP related functionalities like email or phone confirmation, password reset, login with OTPs etc.
#bugbounty #bugbountytips #bugbountytip #hacking #cybersecurity #infosec #bughunting
1/n
2/n
1. Bruteforce OTP (tool : Burp intruder)
2. Developers implement additional parameters to protect their application from bruteforce attack.
eg. LoginAttempt=3 or wrong_attempt_left=1, modify or remove these parameters
1. Bruteforce OTP (tool : Burp intruder)
2. Developers implement additional parameters to protect their application from bruteforce attack.
eg. LoginAttempt=3 or wrong_attempt_left=1, modify or remove these parameters
3/n
3. There is a huge possibility that you may get banned during brute forcing OTP. You can bypass that by taking some steps like:
- Change *User-Agent* header
- Change IP via VPN or IP rotator
4. You can add custom headers to bypass the bruteforcing restrictions :
3. There is a huge possibility that you may get banned during brute forcing OTP. You can bypass that by taking some steps like:
- Change *User-Agent* header
- Change IP via VPN or IP rotator
4. You can add custom headers to bypass the bruteforcing restrictions :
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwared-Host: 127.0.0.1
True-Client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
Note: you can use paraminer to find accepting headers
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwared-Host: 127.0.0.1
True-Client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
Note: you can use paraminer to find accepting headers
5/n
5. No restriction on OTP regeneration [Rate Limit bugs]
- DOS on victim's phone
- Money waste for company
- This also leads to infinitely refresh OTP until our desired OTP 😂
5. No restriction on OTP regeneration [Rate Limit bugs]
- DOS on victim's phone
- Money waste for company
- This also leads to infinitely refresh OTP until our desired OTP 😂
6/n
6. Victim account locking
Bruteforcing can be used to lockout user access to her account for specific time duration eg. 8hrs.
7. Check if OTP expires
Login —> Logout —> Login (with previous OTP)
8. Password link does not expire after usage
6. Victim account locking
Bruteforcing can be used to lockout user access to her account for specific time duration eg. 8hrs.
7. Check if OTP expires
Login —> Logout —> Login (with previous OTP)
8. Password link does not expire after usage
7/n
9. Use same OTP to login from different browsers
10. Use same OTP to login same account from different computer as well as Mobile
11. OTP can be used from other action
Let's say Login & Passwd Change action have 2FA implemented, you can reuse login OTP at passwd change.
9. Use same OTP to login from different browsers
10. Use same OTP to login same account from different computer as well as Mobile
11. OTP can be used from other action
Let's say Login & Passwd Change action have 2FA implemented, you can reuse login OTP at passwd change.
8/n
12. OTP in response
13. Password reset token in response
- Click Forgot Password
- Insert existing username or email address
- Set interception proxy and catch request to this endtpoint
- Proceed the request and check that password-reset link returned in response json body
12. OTP in response
13. Password reset token in response
- Click Forgot Password
- Insert existing username or email address
- Set interception proxy and catch request to this endtpoint
- Proceed the request and check that password-reset link returned in response json body
- Go to the URL and set password for any account
14. Play with other parameters
Add, remove, duplicate other parameters going along with OTP, doing such you can bypass OTP check on the server side, and with that you can send wrong OTP to get access to victim account.
14. Play with other parameters
Add, remove, duplicate other parameters going along with OTP, doing such you can bypass OTP check on the server side, and with that you can send wrong OTP to get access to victim account.
10/n
15. Response manipulation
Sometimes developers relies on response other than OTP to validate user. Save the response after entering correct OTP & use that response to replace the wrong attempt response.
For eg. Is_OTP_Correct:False —> is_OTP_Correct:True
15. Response manipulation
Sometimes developers relies on response other than OTP to validate user. Save the response after entering correct OTP & use that response to replace the wrong attempt response.
For eg. Is_OTP_Correct:False —> is_OTP_Correct:True
Thanks for reading hope you liked it.
I created this list after reading a lots of writeups and articles.
If you get any success with my resource, mention me to know that I helped someone 🤩
I created this list after reading a lots of writeups and articles.
If you get any success with my resource, mention me to know that I helped someone 🤩
• • •
Missing some Tweet in this thread? You can try to
force a refresh
