Get started Open in app

Aamir Ahmad

Follow 30 Followers About

OTP bypass using Burp Suite

Aamir Ahmad Sep 7, 2020 · 2 min read

Hello ever yone. In this post, I will explain how I bypassed OTP verification in a govt
website. This post is completely beginner friendly and you just need to have basic
knowledge of intercepting requests using Burp Suite.

DISCLAIMER: This is for educational purpose only. Please don’t use it to

exploit or harm anyone. If you find any bug using the provided information,
report it ethically to the concerned authorities.

So, I visited this website xyz.com, entered my own number and hit enter.
Intentionally, I entered the wrong otp and intercepted the request using Burp suite.
In response, I got message ,

{“message”:”OTP didn’t match!”,”code”:400,”success”:0} .

I did this lame approach of just editing the values which sometimes works in
websites which don’t perform integrity checks. So, I edited this to

{“message”:”OTP match!”,”code”:200,”success”:1}

This didn’t work and I kept on thinking what should I do next. Then I thought. lets
provide the valid OTP and see what is being returned. So once again, I entered my
number, repeated the above steps but this time with a valid OTP. Once OTP was
verified, the ser ver responded with a token and a redirect link.
 {“data”:
{“nextLink”:”set_password”,”token”:”drc6GpqryeAMIR2qngxLLt2TESTUeZWSamplewx
ZhDgs=”},”message”:”OTP successfully
verified!”,”code”:200,”token”:”drc6GpqryeAMIR2qngxLLt2TESTUeZWSamplewx
ZhDgs=
“,”nextLink”:”set_password”,”success”:1}

Obviously, this is just a sample token and not the original one. I sent this token to
decoder in order to find out what was stored in this token. Decoded it in base64 and
found that some random info is being stored in this token which doesn’t
distinguishes between different users. Once again, I entered another number,
provided wrong otp and intercepted the request. As expected, I got 400 response but
this time I replaced the response with a similar response that I got after providing
valid OTP. Then I for warded the request and OTP was succesfully bypassed. This
bug was in a govt website, so without further exploitation, I reported it to NCIIPC.

I hope you enjoyed reading this. It is my first writeup and will surely tr y to come up
with more.

Thanks.

60 1

Infosec Cybersecurity Bug Bounty Vulnerability Assessment Bugcrowd

More from Aamir Ahmad Follow

Web application pentester. CTF player. Computer Science undergrad.

More From Medium

Policymakers don’t understand the importance of

encryption
Joshua Lasky

Secure communications basics for journalists

Gabor Szathmari in The Walkley Magazine

Answering My Own Authentication Questions Prove

That They’re Useless
Charles Hearn

In Defence of Maturity-based Approaches for Cyber

Security
JC Gaillard in Security Transformation Leadership

Employee cybersecurity habits: When will companies

learn?
Kent Babin in The REDHILL Review

Learning to Diagram a Secure Network

Katrina K.

Everything You Need to Know About HTTP Proxies

SpencerAqa

Data & Ethics: Is It Ever Okay for Private Citizens to

Identify Others Using Big Data?
Jackie Barbieri in The Startup

About Help Legal

Get the Medium app