How I bypass OTP verification in account registration process?

3 min readNov 6, 2020

Hello guys, I am Amit Patil and this is my first write-up about my finding on OTP Bypass. Thanks to All the researcher who posted there finding about bug and educate the Cyber security Community/learners like me.

Before hunting for this bug, I have read multiple blogs, so I got little idea about how/where to look for this bug.

Let’s Dig into it…!!!

About the target-

Target website is a real estate site where you can create you profile and post property for sell or you can buy property, Like magic bricks/no broker.

So, I took time to understand target and get familiar with the website.

My First Bug-

I play around the sign-up page for ways to create my profile on this domain with different option like mail-ID, mobile Number, Sign up with Google/Facebook/apple ID. I have created account with different name with each of option specified over there to understand how the system works on different requests.

So, I used Burp-Suite to capture the request. While examine request which are made for sign up on this domain, I came across one interesting response which was returned on OTP validation request.

So, I dig more into this sign up method to understand the flow mechanism. Now I have created 2–3 valid accounts with OTP validation mechanism and examine the response for the same. Also got to know that after verifying OTP, if you have already account with this domain then it will take you to profile window otherwise it will take you to sign up page for creating account on the domain where you need to enter personal details like NAME, EMAIL-ID (mobile number is already verified in previous page)

After all these things I have concluded that browser is fully relay on the response body data to serve further. In the response body there are some fields which are validated by server and returns in JSON format. Fields are related to OTP validation like {“status”:1,”message”:”OTP matched Successfully”} if OTP is valid, on which further actions are taken by the browser. If invalid OTP entered then response will be like {“status”:0,”message”:”Invalid OTP value”}

So Now all set, I know the flow. Let’s exploit this.

This time I enter random mobile number (which I don’t own in real) in “login with OTP” page.

After entering any random mobile number (OTP was send on that number), I was asked to enter OTP, I enter “0000” and click on verify.

Then I captured the request in burp-suite by putting “Intercept is on” >> Right click in the request and select “Do intercept” >>> “Response to this request”, So that I can manipulate the response in burp-suite and then it will goes to browser. Once I got the response in burp, I change the value in the header like “Status”:”0" >> “1” and “message”:”Invalid OTP value” >> “OTP Matched Successfully”