Bug #82: [Security Audit ]17 - OTP Bruteforce - E-Arogya - Redmine

Actions

Copy link

Bug #82

closed

Feature #65: Security Audit

[Security Audit ]17 - OTP Bruteforce

Added by Kalyan Battula about 1 year ago. Updated about 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Srinivas Kanukolanu

Category:

Target version:

Security Audit

Start date:

17/04/2024

Due date:

% Done:

Estimated time:

Deployed In:

Category:

Description

17 - OTP Bruteforce
CWE : CWE-799
Description :
Application allows users to submit multiple wrong OTPs which lead to bruteforce
attacks to guess the correct OTP.
Affected Path(s) :
https://earogya.satragroup.in/login *-Applicable to entire application
Impact :
Account takeover can be possible by using this vulnerability.
Recommendation :
It is recommended to allow only 3 to 5 wrong attempts of OTPs. After the limit block the
mobile number for some time or provide a new OTP.
Evidence/Proof Of Concept :
Step 1: Application accepting multiple OTP requests which leads to brute force the OTP by
submitting multiple requests.

Files

clipboard-202404171559-juppf.png (54.9 KB) clipboard-202404171559-juppf.png

Kalyan Battula, 17/04/2024 03:58 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

E-Arogya

Custom queries

Bug #82

[Security Audit ]17 - OTP Bruteforce

Updated by Harish Beechani about 1 year ago

Updated by Harish Beechani about 1 year ago

Updated by Harish Beechani about 1 year ago

Updated by Vasudev Mamidi about 1 year ago

Updated by Sivakanth Kesiraju about 1 year ago