Tips and Methods to Bypass OTP

**skytower** · (This post was last modified: 27-08-2025, 03:39 PM by skytower.)

Hello guys, this will demonstrates several methods to bypass OTP (One-Time Password) verification during account registration or login processes using BurpSuite. These techniques can potentially lead to unauthorized access to user accounts, resulting in account takeover. This guide is intended for educational purposes to help you understand common vulnerabilities and improve your skills in penetration testing, before that, take a look OTP on wikipedia and see in detail

Method 1: Response Manipulation During Registration

Register an Account:
Register an account with a mobile number and request an OTP.
Capture the Request:
Enter an incorrect OTP and capture the request in BurpSuite.
Intercept the Response:

In BurpSuite, go to the "Proxy" tab and intercept the response to the OTP verification request.
The response will look like:

[ Hidden Content! ]

{"verificationStatus":false,"mobile":"9072346577","profileId":"84673832"}

Change the response to:

[ Hidden Content! ]

{"verificationStatus":true,"mobile":"9072346577","profileId":"84673832"}

In BurpSuite, edit the intercepted response directly in the "HTTP history" tab.

Forward the Response:
Forward the modified response by clicking on the "Forward" button.

Outcome:
You will be logged into the account.

Method 2: Response Manipulation During Login

Go to the login page and request an OTP.
Capture the Request:
Enter an incorrect OTP and capture the request in BurpSuite.
Intercept the Response:
In BurpSuite, intercept the response to the OTP verification request.
The response will indicate an error (e.g., incorrect OTP).
Modify the Response:
Change the response to indicate success (e.g., replace {"status":"error"} with {"status":"success"}).

Forward the Response:
Forward the modified response by clicking on the "Forward" button.

Outcome:
You will be logged into the account.

Method 3: Intercept and Modify Response Status

Register two accounts with any two mobile numbers, entering the correct OTP initially.
Capture the Request:
Intercept your request in BurpSuite.
Intercept the Response:
Click on "Action" -> "Do intercept" -> "Intercept response to this request".
Check the Response:
Check the response message for a status, e.g., status:1.
Repeat with Incorrect OTP:
Follow the same procedure with the other account but enter an incorrect OTP this time.
Capture and Modify:
Intercept the response to the request and note the message status, e.g., status:0.
Change the status to status:1

Forward the Response:
Forward the modified response by clicking on the "Forward" button.

Outcome:
If you are logged in, you have successfully bypassed authentication.

Method 4: Bypass OTP in Registration Forms Using Repeater

Create an account with a non-existent phone number.
Intercept the Request:
Intercept the request in BurpSuite.
Use Repeater:
Send the request to the repeater by right-clicking on the request and selecting "Send to Repeater".
Modify the Phone Number:
Go to the Repeater tab and change the non-existent phone number to your phone number.
Use Received OTP:

If you receive an OTP on your phone, use that OTP to register the non-existent number.

Method 5: No Rate Limiting

Create an account.
Capture the Request:
When the application asks for the OTP, enter an incorrect OTP and capture the request in BurpSuite.
Use Repeater:
Send this request to the Repeater by right-clicking on the request and selecting "Send to Repeater".
Check for Rate Limiting:
Set up a payload on the OTP value and repeat the request.
If there is no rate limit, wait for a 200 OK or 302 Found status code.

Outcome:
If you receive a 200 OK or 302 Found status code, you have bypassed the OTP.

Likes 💓 +Reps are always appreciated but optional

Not ratedThis leak has not been rated yet, be careful when downloading.

Tips and Methods to Bypass OTP

Submitted by skytower at 27-08-2025, 03:37 PM