Using Burp Suite for OTP Bypassing

Published on . Written by

Using Burp Suite for OTP Bypassing

OTP Bypassing


Skyfi Labs Projects
Ethical hacking is fun but under limits. One of the things every hacker tries is OTP Bypassing. There are different ways from which we easily bypass the login credentials with the help of OTP bypassing.

What is OTP :

OTP stands for a one time password which is used to login in a registered account. it provides a mechanism to login into a network for a single session only.

The OTP SMS gateway provider is more connected than the static PIN or password code, especially the PIN or password code generated by the user, which is usually weak. OTPs can restore verification sign-in details or add to it a different kind of strict security.

In this ethical hacking project, I will explain the whole process to bypass OTP using Burp-Suite.

Read more..

SLNOTE
Prerequisite:

Firstly, target any site or we can say select any site for the attack (i.e www.anyexample.com) any website?

Create a profile (register) or you can log in any one account, because login an account also needs to verify the OTP process, this is also called an account takeover. 

Step1: It is to configure your browser proxy with the burp suite and burp suite proxy listener, for this you need to change your browser settings by going into preferences and then in the proxy setting.

So the proxy host address is by default 127.0.0.1. And the port is 8080 by default for both protocols (HTTP and HTTPS) 


SLLATEST
NOTE: If it is not running then burp is not able to open default proxy.

Step2: Now, After Setting up account or login credentials, it needs OTP to verify. Now, turn ON your burpsuite’s intercept.

Intercept: It captures the packet coming from the website or Server. Now, we will capture the packet which was being sent over as a request packet to the server. (Now if you want to do the brute force attack, you can do it easily.)

Now, type any wrong OTP and intercept after capturing the request, do action and send it to the intruder. After sending to the intruder forward the post request. Then the packet code reaches to the intruder from the server. 

Points to remember:

#In the response the server gives error as (0) and if the statement is successful it gives(1).

#Sometimes it gives errors in code, so change it to Success. 

#Sometimes, it gives incorrect, changes it to Success. Now according to the server code change it to success or 1, and forward the request to the server. After you send the request to the server, it accepts the query and says OTP is correct. 

And hence OTP is bypassed. 

There are different methods to bypass OTP, many others were possible because of the lacklustre of the security personnel where they do not apply security.due to which you can apply different methods to bypass OTP. One other way of bypassing the OTP with an attack is called no rate limit attack or we can say a brute-force attack. 


SLDYK
Kit required to develop Using Burp Suite for OTP Bypassing:
Technologies you will learn by working on Using Burp Suite for OTP Bypassing:


Any Questions?