• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
Craig Hays

Craig Hays

  • Cybersecurity
  • Principles
  • Newsletter
  • Learn Cyber Security
    • Hacking and Defending User Accounts
    • Learning Guides
  • Contact
  • Show Search
Hide Search
You are here: Home / Archives for brute-force

brute-force

One Time Code Bypass With An Inverted Brute-Force Attack

June 18, 2021 By Craig Hays Leave a Comment

Reading Time: 4 minutes

“We’ve sent a six-digit code to your email address. Enter it below to login.”

One Time Code Logic Inversion Attack
Photo by Alvin Lenin on Unsplash

We see them all the time while testing web applications. In order to verify your identity, the application sends a 6 digit numerical code to your registered email address or phone number. The purpose is to prove that the person performing the action is also in possession of the phone or mailbox attached to it. No access, no authorisation. It’s a useful second factor to apply a little extra security to a process.

If you try to guess the code it expires after 5 or so attempts. The odds of guessing correctly are 5/1,000,000, or 1/200,000 (0.0005%). Any guesses after the first 5 are invalid. This prevents you from brute-forcing all 1,000,000 combinations from 000000 to 999999.

Sounds pretty safe, right? Well, it can be. But sometimes developers make mistakes in their assumptions. Here’s one of my favourite bugs to test for and how to exploit it.

[Read more…] about One Time Code Bypass With An Inverted Brute-Force Attack

Primary Sidebar

Newsletter

Want to get smarter about cyber security? Join my growing list of newsletter readers for exclusive news, reviews, how-tos, and more.

· © Craig Hays, 2006–2023 ·

  • Phishing