Bypassing OTP Verification Methods

Hey Guys, Its KRiPPto99 Back again. In today’s blog I’m going to show you How can anyone bypass OTP and take over his account And also you need a Burpsuite

What is OTP?

onetime password, or commonly called OTP, is auto generated 3 to 6 digit number code that authenticate a user to their account. the OTP acts as also more secure password, especially if the users password is weak or reused

Description of Vulnerability:

Lets suppose there is site called and when you checkout the site there is login and create option will be there so just need to lookup there below there are steps I’m going to show you how did I bypassed OTP in my case

Before get started please learn basics of Burp Suite



Lets get started then!!!!!!!!!!!



Steps To Perform

Method 1: OTP Bypass  Leads To Account Takeover

step 1: visit to site choose create a account fill up details

step 2: For number fill up you’re number and wait for OTP it will ask us fill up OTP that time  randomly put any number for OTP section

step 3: after putting any random OTP just intercept the request in Burp Suite

step 4: when you get the request lookup and select on do intercept response only like below image



step5: forward the request until you get the request like below image as we get response here we just need do small changes here

step6: now time just need to change code 1 to 0 and invalid to valid otp that’s it like below image shared


step7: Boom!! Boom!! Just like that we did we just bypassed OTP and this also leads to account takeover






Method 2: OTP Bypass by Brute-force

this is another method which I’ve been came across int his method I noticed there is 4 digit OTP which I’ve been came up with this idea


Step1: suppose there is site called input the number and top of your choice

step2: use the Burpsuit and intercept the request before submit button

step3: forward the request until you notice there in request page there OTP is been displayed suppose 000 is our OTP then there will be that OTP

step4: send request to intruder select sniper attack clear all and just add $ to OTP for example $0000$ and in the

step5: in position tab do what below I did in image


step6: press on start attack that’s it!!! boom!!!!!!!

step7: we get to notice that out this combination we get to see different digit and that’s the OTP




Method3: OTP bypass through response manipulation

step1: lets take a target site called where we need to put our number and wait for it

step2: we been requested to input OTP here OTP need to input in 6 digit in my case

step3: input random any 6 digit and intercept request in Burpsuit before click

step4: In Burpsuit forward the request until you see there is OTP now click on request and click on do intercept> response to this request

step5: here in response we came across there will be error try to change that error to success we need to manipulation just like that, fail to success, 0 to 1 like this manipulation we need to do

step6: Forward the request and  success here we go Boom!!!!