OTP Bypass: How to mobile OTP bypass. Complete tutorial
How to mobile OTP bypass. Complete tutorial
I got a lot of responses in my last carding tutorial. If you are interested in this topic, I will come up with an Advance Tutorial on Carding. If you continue to respond well, I will also get encouragement and come up with something new. You can subscribe to my YouTube channel. I upload a lot of videos that do not have tutorials written. mobile OTP bypass. Complete tutorial
Today I have written about an important part of this.
Today’s topic is OTP BYPASS. Earlier I posted about admin panel bypass. But today I will write about this OTP bypass and this tutorial is definitely different from the previous tutorial.
What is OTP and what can you do if you can bypass it?
– OTP (one-time Password) is a very familiar subject to us. A 4/6 code number is used for our password reset, login, and verification processing.
-I can pay using your mobile OTP, access the account, and register with any number on the website. Much more is possible.
– You can also report this bug as a white hat. If this website has a bug bounty program, then you will get a bounty. If there is no program, there is no need to report.
What we need before we startঃ
1. One PC
2. Burp Suite (Google search)
3. Internet connection.
Let’s start step by step
1. First we need to configure the Burp Suite and the browser. First, open the Burp Suite. Then open Mozilla Firefox. Now go to the ‘Option’ of Mozilla Firefox. Scroll down to the General section to get the Network setting option. Select manual proxy here. Then enter 127.0.0.1 and port 8080 in the proxy. As shown below.
Now we need to install a certificate. Otherwise, no website will run. Burp: 8080 Visit this link. You can see the CA certificate written on the top right side. Click and download.
Now you need to install. Enter the Firefox option. Enter the privacy and security section. Click on View Certificates. Now click on import. Then select the downloaded certificate, open or double click, and install.
2. Now enter your target website. Visit the page where OTP is required. I am targeting the Indian website.
3. The form has to be filled completely. Email, address, name, mobile number have to be filled in all the fields. (All the information here is random. Arbitrary information is given. )
4. If all the information is given, I will click on submit. Now a pop-up will appear in front of us where we have to give OTP. Now let’s try randomly with 4 0000 numbers first. See OTP is wrong. If we make a mistake, it will show wrong. But we have this wrong OTP. I will go ahead with it.
5. Start working from now. Open Burp Suite. Then intercept on. Come back to the browser and click on OTP verify option again with 0000 or any number of your choice.
6. Come back to Burp Suite. Now you can see the response of the website. Find out where OTP is from this response.
7. When you find the OTP, select the response. Then right-click the mouse. Then click Do Intercept> Response this request. Click the Forward button.
8. Now you will see a new response. See the false here in the response. Because the OTP given to us is wrong.
Now we edit this false
I will write True. Then I will click on the forward button again. You will continue to forward until the website enters the next page.
9. Now look, there is no more error and we have submitted the form correctly. We have completed 0000 with this wrong OTP. We have bypassed the OTP.
This is not the only method. Your website may not have this. In that case, you have to use another method. This Mobile OTP bypass method will be shown in the next episode along with something new.