Snapchat Pro Mod

Web Hacking OTP Verification Bypass through Modifying Request or Response On A Site With Improper Validation [Broken Authentication]

A N O N Y

A N O N Y

Member
#1
Joined
Dec 29, 2021
Messages
25
Location
Mars Planet
Website
hellofhackers.com
Hellcoins
♆4
☆ OTP BYPASS VERIFICATION ☆

LET's START

☆ Hello CyberSouls, In this article I’ll demonstrate you steps by steps OTP (one-time passwords)
Verification bypass through Modifying Request or Response.
You must reply before you can see the hidden data contained here.
You must reply before you can see the hidden data contained here.
☆ Enjoy ~ I LOVE YOU ALL GUYS WHO'll LIKE MY POSTS ~





 
Last edited by a moderator:
B

berlin

Member
#9
Joined
Oct 8, 2022
Messages
113
Location
Berlin.123BhB
Hellcoins
♆433
G
A N O N Y said:
☆ OTP BYPASS VERIFICATION ☆
LET's START


☆ Hello Members, In this article I’ll demonstrate you steps by steps OTP (one-time passwords)
Verification bypass through Modifying Request or Response.
Before starting first we understand OTP Verification.
Sometimes when you are going to register a new account,
Re-login and want to add the new number on the application,
Then it asks you to verify your phone number.
By using one-time verification (OTP) Method.
In which that application send a code on your mobile number by SMS, a
nd you have to enter it your mobile number on that Application to verify your account.
Modifying Request or Response Manipulation is straightforward:
an attacker first observes Request or Response behaviour of an application.
Once she understands application behaviour then attacker trying to manipulate
Response according to valid Response.
In this case, the Attacker first,
capture valid Request and send to the repeater to get a response.
Analyze the Response then attacker trying to manipulate Response according to valid Response.

[Image: 1*sp8gcyk5vXcA2GWJSqKqKg.png]

[Image: 1*s6kivWAxReeUztLiw5UsYQ.png]

☆ In this case, I want to add a number without verifying and entering valid OTP.
Above screenshoot,
you can see the number I entered now click on Save Phone Number.
Popup box will appear and ask for entering valid OTP.

[Image: 1*r-dPt7ieJU9Rg0E7GzMvbA.png]

☆ Here I entered wrong OTO 123456

[Image: 1*YyO6tvTI8ERuB94Shfxvfg.png]

☆ Now setup burpsuite and configure with the web browser.
Turn on the intercept and Now captured invalid OTP requests.
after request captured Right click and Do Intercept → Response to this request.

[Image: 1*nitsPp-YYQfJte6nr6ed3w.png]

☆ When attacker clicks on Response to this request then she will get a response of particuar requests.
So an attacker can easily observe the behaviour of an application function.

☆ You observe that {“status” : ”failed”}

[Image: 1*C1QT_Gj6M6nufpQd4HDG_Q.png]

☆ It’s a clear indication we can bypass OTP verification.
Now change response failed to success {“status” : ”failed”} → {“status” : ”success”}

[Image: 1*Ks8Df0laD1YhSR5J6LOtvg.png]

☆ Turn off the intercept button and look at the application,
OTP Verification has been bypassed.



☆ Enjoy ~ I LOVE YOU ALL GUYS WHO'll LIKE MY POSTS ~



[Hidden content]
Click to expand...
g
 
N

nobead

New member
#17
Joined
Dec 7, 2023
Messages
18
Hellcoins
♆36
A N O N Y said:
☆ OTP BYPASS VERIFICATION ☆
LET's START


☆ Hello Members, In this article I’ll demonstrate you steps by steps OTP (one-time passwords)
Verification bypass through Modifying Request or Response.
Before starting first we understand OTP Verification.
Sometimes when you are going to register a new account,
Re-login and want to add the new number on the application,
Then it asks you to verify your phone number.
By using one-time verification (OTP) Method.
In which that application send a code on your mobile number by SMS, a
nd you have to enter it your mobile number on that Application to verify your account.
Modifying Request or Response Manipulation is straightforward:
an attacker first observes Request or Response behaviour of an application.
Once she understands application behaviour then attacker trying to manipulate
Response according to valid Response.
In this case, the Attacker first,
capture valid Request and send to the repeater to get a response.
Analyze the Response then attacker trying to manipulate Response according to valid Response.

[Image: 1*sp8gcyk5vXcA2GWJSqKqKg.png]

[Image: 1*s6kivWAxReeUztLiw5UsYQ.png]

☆ In this case, I want to add a number without verifying and entering valid OTP.
Above screenshoot,
you can see the number I entered now click on Save Phone Number.
Popup box will appear and ask for entering valid OTP.

[Image: 1*r-dPt7ieJU9Rg0E7GzMvbA.png]

☆ Here I entered wrong OTO 123456

[Image: 1*YyO6tvTI8ERuB94Shfxvfg.png]

☆ Now setup burpsuite and configure with the web browser.
Turn on the intercept and Now captured invalid OTP requests.
after request captured Right click and Do Intercept → Response to this request.

[Image: 1*nitsPp-YYQfJte6nr6ed3w.png]

☆ When attacker clicks on Response to this request then she will get a response of particuar requests.
So an attacker can easily observe the behaviour of an application function.

☆ You observe that {“status” : ”failed”}

[Image: 1*C1QT_Gj6M6nufpQd4HDG_Q.png]

☆ It’s a clear indication we can bypass OTP verification.
Now change response failed to success {“status” : ”failed”} → {“status” : ”success”}

[Image: 1*Ks8Df0laD1YhSR5J6LOtvg.png]

☆ Turn off the intercept button and look at the application,
OTP Verification has been bypassed.



☆ Enjoy ~ I LOVE YOU ALL GUYS WHO'll LIKE MY POSTS ~



[Hidden content]
Click to expand...
 
You must log in or register to reply here.
Top