Skip to main content

OTP Bypassing :

 Bypass OTP Schema:-

→ Response mnipulate

→ Bruteforce

→ Sms forwarding

→ Broken authentication we can use any random value



Here, We will discuss about How attacker able to bypass OTP Schema by response manipulate technique . If You don’t know What is response manipulate is a technique attacker try to analyze Request using some proxy tool attacker can change value of Response without entering correct OTP.

Steps Of Testing:

1. Here We have a vulnerable Application which allow us to Bypass OTP Schema That consist broken authentication schema.

As when We login Or Sign up as authenticate some application ask for OTP Confirmation,




As above picture when user enter OTP Confirmation Code which comes to User Email After entering OTP we can access as Authenticate user ,

2. Here For checking Is application is vulnerable for OTP Bypass we will use some random OTP 0000 Value




As above picture we Entered wrong OTP Value ,

Now, here we have to do before Click Verifiy Open Some proxy tool to intercept Request here we will use Burp which help us to intercept request and We can change Response .

3. click verify Confirmation OTP with Random Value and Intercept Request using Burp




As above picture We have captured request As POST request code=0000 with Random Value , here to check or edit response Right Click Your Mouse → Do intercept → Response to this Host


Now, As Response :



As above picture As result 400 bad Request that mean we have entered Wrong OTP value ,

Now, The main point is come here Now we we bypass this 400 bad request by Response mnipulate here simply We need to make change On response section ,




Now, as above picture we change value 400 bad request → 200 OK and, “err”:no more attempts allowed”,”ECODE”:”usr_069”}( Note: Different web You will get different Response Technique is same) as error response We change value as { }

Now , Forward this Response and as result we have successfully bypass authentication schema due to broken authentication schema.

We will be seeing other methods for bypassing SMS in upcoming blogs✨

Comments

Post a Comment

Popular posts from this blog

Pin-Bruteforce

 Hello all !! Now turn your Kali Nethunter into a bruteforce pin cracker . Here's all your methods ! Simply the method is:-) Git clone   https://github.com/urbanadventurer/Android-PIN-Bruteforce.git Ls Cd Pndroid-Pin-Bruteforce bash ./android-pin-bruteforce ./android-pin-bruteforce crack --length 3 ./android-pin-bruteforce crack --length 6 How it works It uses a USB OTG cable to connect the locked phone to the Nethunter device. It emulates a keyboard, automatically tries PINs, and waits after trying too many wrong guesses. [Nethunter phone] <–> [USB cable] <–> [USB OTG adaptor] <–> [Locked Android phone] The USB HID Gadget driver provides emulation of USB Human Interface Devices (HID). This enables an Android Nethunter device to emulate keyboard input to the locked phone. It’s just like plugging a keyboard into the locked phone and pressing keys. This takes just over 16.6 hours with a Samsung S5 to try all possible 4 digit PINs, but with the optimised PIN list it
Post a Comment
Read more

How to Record Whatsapp calls.

  H owever, different third-party apps can be used to record WhatsApp voice calls.   However, what it does not allow is to record voice calls.  Here, we will tell you the best possible way to record WhatsApp voice calls on your Android and iOS device. WhatsApp doesn't have an option to record voice calls Users can only record voice calls using a third-party app.  How to record WhatsApp voice calls on Android Application Call Recorder: Cube ACR allows you to seamlessly record voice calls over WhatsApp.  Here’s how you can record WhatsApp calls in simple steps.  WhatsApp is becoming a one-stop for all the messaging needs, be it sharing files or having group chats or video calls.  WhatsApp is one of the most popular and downloaded applications not just for messaging but for video and voice calling.  So let’s get started. Open Google Play Store and search the Cube Call application. Once installed open the Cube Call application and then switch to WhatsApp. On WhatsApp, you will see
Post a Comment
Read more

Acessing webcam(Phishing)

  Web-Cam Cam-phish is techniques to take cam shots of target’s phone or pc. It is a phishing tool which hosts fake websites on in built PHP server and uses ngrok server to generate a link which we will forward to the target, which can be used on over internet. Website asks for camera permission and if target allows it, this tool grab cam shots of target’s device. Requirements:- apt -get -y install php openssh git wget Installation :- git clone https://github.com/techchipnet/CamPhish cd CamPhish bash camphish.sh Cam-Phish is created to help in penetration testing and it's not responsible for any misuse or illegal purposes. Cam-Phish is inspired by  https://github.com/thelinuxchoice/  Big thanks !!!
Post a Comment
Read more