Last updated
Was this helpful?
During a recent pentest engagement with , we uncovered a critical security vulnerability in the OTP (One-Time Password) verification process of a popular web application. This vulnerability allowed us to bypass OTP verification, leading to a complete takeover of user accounts. Here's how it went down.
Our target was a web application that implemented OTP-based authentication as an added layer of security. The user would enter their email, request an OTP, and then submit the received code to gain access to their account. It all seemed secure at first glance—until we dug deeper.
The first thing we noticed was that the OTP mechanism didn't include any rate limiting. This was curious because, without proper rate limiting, an attacker could theoretically brute force the OTP. But we weren't just going to theorize—we needed to test it.
Using Burp Suite, we intercepted the OTP submission request. The request looked simple enough:
At this point, we set up Burp Suite's Intruder tool to brute force the OTP field.
We configured the Intruder to iterate through possible OTP values. Since the OTP was six digits long. We figured that even with no rate limiting, the attack might take a while, but we were patient.
With the Intruder running, we monitored the responses. After several attempts, the server responded with an HTTP 200 status code. Bingo! We had guessed the correct OTP.
With the correct OTP in hand, we extracted the OneTimeToken from the server’s response. This token was the key to the kingdom.
Next, we used the OneTimeToken in a follow-up request to the API:
This request returned the full authorization token for the victim’s account, effectively logging us in as the user. From there, we had full control over the account—accessing personal data, modifying account settings, and more.
This vulnerability highlighted several critical issues in the OTP verification process:
Lack of Rate Limiting: Without rate limiting, brute-forcing the OTP was trivial.
Insecure OTP Mechanism: The system should invalidate OTPs after a few incorrect attempts or after a short period.
Inadequate Monitoring: The application lacked sufficient logging and monitoring, allowing such an attack to go undetected.
Stay curious, stay secure, and happy hacking!
This pentest engagement with served as a stark reminder of how seemingly minor oversights in security mechanisms like OTP can lead to severe consequences, such as full account takeovers. Always think critically about how each piece of the security puzzle fits together, and never underestimate the importance of comprehensive security testing.
