Bypass OTP using http header.

Whenever I do pentesting, I always look backend because the developer experience helps me in Pentesting. I can understand the problem of developer because they have fixed time-line to deliver product or service. But the same case in Pentesting too :).

I have bypass OTP using http headers such as origin and referer. Let’s understand what is origin and referer in simple language. The Origin request header indicates where a fetch originates from. It doesn't include any path information. example : Origin : https://xyz.com. The refereheader is a request-type header that identifies the address of the previous web page, which is linked to the current web page or resource being originated. Example : referer: http://xyz.com/abc.jsp.

As per my experience in web development, I have seen that for 2FA there are common name for pages such as OTP.jsp, Validation.jsp, otpvalidate.jsp, otp_validation.jsp etc. So, basically behind the otp.jsp, otp_validation.jsp will perform authentication and authorization activity. In simple words, otp_validation.jsp page will give you the authority to land next page. Game is here, most of the time developers do client side validation like enter otp, invalid otp or rare case session validation.

So, I have decided to bypass this page means otp.jsp page and land to next page. Unfortunately, developer has done validations but not in http headers. I have followed the procedure of signup and land to otp.jsp page. Next landing page was transactions.jsp with so called session validation.

OTP page
Success OTP bypass page

I have done 3 changes to perform bypass OTP.

1) I have changed the next landing page “tansactions.jsp”

2) I have changed referer otp_validation.jsp

3) I have added otp parameter “Validation” and successfully bypass the otp.

Lastly, there are couple of methods to bypass otp such as bruteforce and race condition.

If you like then share :)

Follow Rapidsafeguard

Defensive Security with Black Hat minds