How to prevent OTP spraying using BurpSuite during OTP validation

I have a functionality of OTP validation in my mobile application. When a user forgets the password, he/she can change the password using the forgot  password. I have a server action 'Validate Code' which the penetration testing team is able to spray OTP using password spraying technique using Burp Suite.

Is there any way I can prevent this.? Say when the server action is called with invalid OTP 2-3 times I can return 403 Forbidden status code?


Solution

Hi Ross,

I was not able to stop OTP spraying. I don't think it can be stopped as the server action is called multiple times with different OTPs by some tools like BurpSuite. 

I have done some work around to prevent the tool from getting the valid OTP. And, when the pen testing team retested this issue it got passed.

Please find below what I have done.

1. Encrypting  input and output parameters of the server action. 

    I have serialized and encrypted the the serialized string and sent it as the input parameter so that it cannot be read by the attacker. Then decrypted the input parameter inside the server action and de-serialized it. The same way I encrypted the response output parameter from the server action so that the attacker won't be able to identify if the response is valid or not. Then decrypted it in client side.

2. Restrict multiple attempts by restricting the user for a specific number of attempts. 

   I set a site property with the limit of attempts(3 in my case) for OTP. Then in the server action to validate the OTP, if that limit is reached I returned an error response. I had this logic in client side already, but it was not getting validated in server action. Hence the attacker was able to attempt multiple times and get the valid response after some attempts. Now I added this logic in server action also. Hence, when the attacker try to spray OTP from burp suite, after 3 attempts he will always get the error response from server action.

Hope this helps to resolve your issue as well.

Sundeep.

    

Hi Sundeep!

I'm encountering the same issue. May I know if you were able to resolve this? 


Thanks,

Ross

Solution

Hi Ross,

I was not able to stop OTP spraying. I don't think it can be stopped as the server action is called multiple times with different OTPs by some tools like BurpSuite. 

I have done some work around to prevent the tool from getting the valid OTP. And, when the pen testing team retested this issue it got passed.

Please find below what I have done.

1. Encrypting  input and output parameters of the server action. 

    I have serialized and encrypted the the serialized string and sent it as the input parameter so that it cannot be read by the attacker. Then decrypted the input parameter inside the server action and de-serialized it. The same way I encrypted the response output parameter from the server action so that the attacker won't be able to identify if the response is valid or not. Then decrypted it in client side.

2. Restrict multiple attempts by restricting the user for a specific number of attempts. 

   I set a site property with the limit of attempts(3 in my case) for OTP. Then in the server action to validate the OTP, if that limit is reached I returned an error response. I had this logic in client side already, but it was not getting validated in server action. Hence the attacker was able to attempt multiple times and get the valid response after some attempts. Now I added this logic in server action also. Hence, when the attacker try to spray OTP from burp suite, after 3 attempts he will always get the error response from server action.

Hope this helps to resolve your issue as well.

Sundeep.

    

Hi Sundeep!
Can you upload some photos of how you enter and validate the code? this to have a context of how you could modify that to prevent them from modifying it with BSP

Thanks,
Felipe.

Hi Felipe,

Thanks for responding to my question.

Actually that issue was closed by the pen testing team on retesting. The work around I added was okay for them.

Sundeep

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.