Feature #260: [Security Audit Round 2 ] OTP Bruteforce (Reapeated) - E-Arogya - Redmine

Actions

Copy link

Feature #260

closed

Feature #235: [Security Audit Round 2 ]

[Security Audit Round 2 ] OTP Bruteforce (Reapeated)

Added by Kalyan Battula 12 months ago. Updated 11 months ago.

Status:

Closed

Priority:

High

Assignee:

Kalyan Battula

Category:

Target version:

Security Audit

Start date:

01/05/2024

Due date:

% Done:

Estimated time:

Deployed In:

Category:

Description

OTP Bruteforce (Repeated)
CWE : CWE-799
Description :
Application allows users to submit multiple wrong OTPs which lead to bruteforce
attacks to guess the correct OTP.
Affected Path(s) :
https://earogya.satragroup.in/login *-Applicable to entire application
Impact :
Account takeover can be possible by using this vulnerability.
Evidence/Proof Of Concept :
Step 1: Application accepting multiple OTP requests which leads to brute force the OTP by
submitting multiple requests.

Step 2: Functionalilty issue

Recommendation :
It is recommended to allow only 3 to 5 wrong attempts of OTPs. After the limit block the
mobile number for some time or provide a new OTP.

Files

Download all files

clipboard-202405011257-kqohn.png (47 KB) clipboard-202405011257-kqohn.png		Kalyan Battula, 01/05/2024 12:57 PM
clipboard-202405011258-j6kit.png (430 KB) clipboard-202405011258-j6kit.png		Kalyan Battula, 01/05/2024 12:58 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

E-Arogya

Custom queries

Feature #260

[Security Audit Round 2 ] OTP Bruteforce (Reapeated)

Updated by Harish Beechani 12 months ago

Updated by Sivakanth Kesiraju 12 months ago

Updated by Sivakanth Kesiraju 12 months ago

Updated by Harish Beechani 12 months ago

Updated by Harish Beechani 12 months ago

Updated by Kalyan Battula 11 months ago