Project

General

Profile

Actions
Copy link

Bug #76

closed

Feature #65: Security Audit

[Security Audit ] 11- OTP Flooding

Added by Kalyan Battula about 1 year ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Harish Beechani
Category:
-
Target version:
Security Audit
Start date:
24/04/2024
Due date:
% Done:

100%

Estimated time:
(Total: 0:00 h)
Deployed In:
Category:

Description

11- OTP Flooding
CWE : CWE-770
Description :
This attack consists of generation of large number of OTP requests to a single mobile
number and email.
Affected Path(s) :
https://earogya.satragroup.in/login *-Applicable to entire application
Impact :
The attacker could stop the availability of service or cause a performance decrease.
Recommendation :
It is recommended to send only 5 or 10 OTPs to a single mobile number for a period of
time. After one successful OTP transaction (OTP sending and verifying) this count can be
rest. Implement CAPTCHA mechanism for the request that is making OTP request.
Evidence/Proof Of Concept :
Step 1: Navigate to forgot password page and enter any Email.

Step 2: Multiple OTP's sent to Mobile as shown in below screenshot.

Step 3: It is observed that there is no rate limit for otp.

Step 4: Multiple OTP's sent to Mobile as shown in below screenshot.

Files

Download all files
clipboard-202404171547-lwfhr.png (564 KB) clipboard-202404171547-lwfhr.png Kalyan Battula, 17/04/2024 03:47 PM
clipboard-202404171547-gejso.png (99.2 KB) clipboard-202404171547-gejso.png Kalyan Battula, 17/04/2024 03:47 PM
clipboard-202404171548-qoelw.png (198 KB) clipboard-202404171548-qoelw.png Kalyan Battula, 17/04/2024 03:48 PM
clipboard-202404171549-witvn.png (226 KB) clipboard-202404171549-witvn.png Kalyan Battula, 17/04/2024 03:49 PM

Subtasks 1 (0 open1 closed)

Bug #107: To stop the bot attack added captch in uiClosedRaju Kuthadi 24/04/2024

Actions
Actions
Copy link

Also available in: Atom PDF