{"id":886,"date":"2020-05-09T04:12:29","date_gmt":"2020-05-09T03:12:29","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=886"},"modified":"2020-09-28T18:05:03","modified_gmt":"2020-09-28T17:05:03","slug":"otp-bypass-developers-check","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/otp-bypass-developers-check\/","title":{"rendered":"OTP Bypass – Developer\u2019s Check"},"content":{"rendered":"

Summary :<\/strong><\/p>\n

OTP\u200b is a string of characters or numbers automatically generated to be used for one single login attempt. OTP, One Time Passwords in full, can be sent to the user\u2019s phone via SMS or Push messaging and is used to protect web-based services, private credentials and data.<\/p>\n

I was checking for some bypasses of an OTP and I tried this thing to bypass the OTP and was successful. I call it\u00a0Developer\u2019s Check\u00a0<\/strong>because I found it when I was reviewing the code of the application and some of the buttons. The mistake here was that the application was having the OTP check on the client side and was easily identifiable. Due to this mistake anyone can bypass the OTP very easily.<\/p>\n

How to find this vulnerability ?<\/strong><\/p>\n

    \n
  1. Go to your target website<\/li>\n<\/ol>\n
    \n
    \n
    \n
    \n
    \n
    <\/div>\n

    <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

    Registration<\/figcaption><\/figure>\n

    2. Here I had an option to register and they will send me an OTP for login<\/p>\n

    \n
    \n
    \n
    \n
    \n
    <\/div>\n

    <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

    OTP received<\/figcaption><\/figure>\n

    3. Right-click on the \u201cContinue\u201d\u00a0<\/em>button and click on inspect element to check for some functions that validates the OTP check<\/p>\n

    \n
    \n
    \n
    \n
    \n
    <\/div>\n

    <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

    Inspect Element<\/figcaption><\/figure>\n

    4. Here you can see in the below screenshot that their is an event called\u00a0\u201ccheckOTP(event)\u201d<\/em><\/p>\n

    \n
    \n
    \n
    \n
    \n
    \n
    \"OTP\"
    OTP<\/figcaption><\/figure>\n<\/div>\n
    \"OTP\"
    OTP<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>
    checkOTP(event) function<\/figcaption><\/figure>\n

    5. Simply type the event in the console of the browser<\/p>\n

    \n
    \n
    \n
    \n
    \n
    \n
    \"OTP\"
    OTP<\/figcaption><\/figure>\n<\/div>\n
    \"OTP\"
    OTP<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>
    Click on the arrow<\/figcaption><\/figure>\n

    6. After clicking on the arrow it will open a file in the debugger where you will an OTP that was send to the mobile<\/p>\n

    \n
    \n
    \n
    \n
    \n
    \n
    \"OTP\"
    OTP<\/figcaption><\/figure>\n<\/div>\n
    \"OTP\"
    OTP<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>
    OTP<\/figcaption><\/figure>\n

    Logic Code :<\/strong><\/p>\n

    <script type=\u2019text\/javascript\u2019>
    \nfunction checkOTP(e)
    \n{
    \nif (document.getElementById(\u201ctxtOtp\u201d).value == 8951)<\/strong>
    \n{
    \nvar formSignUp = document.getElementById(\u201cformSignUp\u201d);
    \nformSignUp.submit();
    \n}
    \nelse
    \n{
    \nvar divWrongOTP = document.getElementById(\u2018divWrongOTP\u2019);
    \ndivWrongOTP.style.display = \u2018inline\u2019;
    \ne.preventDefault();
    \nreturn;
    \n}
    \n}
    \nfunction resubmitOtp()
    \n{
    \nlocation.reload();
    \n}
    \n<\/script><\/p>\n

    As here you can see if \u201c(document.getElementById(\u201ctxtOtp\u201d).value == 8951)\u201d<\/strong>\u00a0which means if the OTP that you entered matches\u00a0\u201c8951\u201d\u00a0<\/em>then only you will get a successful login which also means that\u00a0\u201c8951\u201d\u00a0<\/em>is your OTP.<\/p>\n

    Thank You \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"

    Summary : OTP\u200b is a string of characters or numbers automatically generated to be used for one single login attempt.<\/p>\n","protected":false},"author":1,"featured_media":887,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[51],"tags":[],"yst_prominent_words":[1299,1300,1305,1303,1295,1301,200,65,1298,1294,1308,1302,1307,1297,1192,1306,1296,1309,115,1304],"class_list":["post-886","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=886"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/886\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/887"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=886"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=886"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}