Burp Suite User Forum

Login to post

Bypass OTP attemtps

Dylan | Last updated: May 16, 2021 01:39PM UTC

Are there any extensions or helpful documentation out there that might help me to bypass thr OTP attempts. I tried doing an attack but after a few OTP tries, it says I have tried too many times.

Uthman, PortSwigger Agent | Last updated: May 17, 2021 08:45AM UTC

Hi Dylan, You can find some ideas from the Academy labs: - https://portswigger.net/web-security/all-labs#authentication However, if there are restrictions set up on the server itself (e.g. an account lockout policy) then it will be difficult to bypass that. You can also try intercepting the request with the OTP and brute force using the Intruder as demonstrated in this lab: - https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-bypass-using-a-brute-force-attack

You need to Log in to post a reply. Or register here, for free.