afolabiemmanuel49@gmail.

com

VULNERABILITY REPORT

Lack of Rate Limiting while sending OTP code

1
 afolabiemmanuel49@gmail.com

INTRODUCTION
Lack of rate limiting

Rate Limiting is a technique used by developers to restrict users to perform an action for a
particular number of times, this might be implemented by the developers to either avoid brute
forcing or overloading of the server which might lead to a DoS attack.

The Vulnerable Web Application(MyMtn):

The vulnerable web application is ​https://mymtn.com.ng​ and the vulnerable part of the
application is when sending OTP from the web application to the phone number, the application
relied on the OTP expiring after X minutes without implementing any sort of rate limiting to
prevent a malicious user from brute forcing the OTP code and since this code is a 4 digit code,
that makes bruteforcing easier. Once an attacker has this OTP code, the user can easily login to
account of the phone number they just brute forced the OTP code.

TOOLS USED:
Kali Linux Operating System
Browser
Burpsuite
Turbo Intruder(BurpSuite Extension)
Wordlist (https://drive.google.com/open?id=1MU3aWeLX2snTTEljD8CrsEMmXV11CHvR)

N.B: Bupsuite is a tool used to intercept and modify request sent between the client i.e
the
browser and the web server. This tool can be located at
https://portswigger.net/burp/communitydownload​

To be able to use burpsuite with your browser, you will have to configure it, the
configuration is
quite easy and the steps to configure can be found here:
https://portswigger.net/burp/documentation/desktop/penetration-testing/configuring-your
-browser

To install Turbo Intruder, visit this URL

https://portswigger.net/bappstore/9abaa233088242e8be252cd4ff534988

2
 afolabiemmanuel49@gmail.com

PROOF OF CONCEPT

In this part of the report, I will be explaining how I was able to find and exploit this vulnerability.

1. Visit the following URL ​https://www.mtnonline.com/

2. Click on the “Login to MyMTN“ button which will redirect you to “​http://mymtn.com.ng/​”
and enter a valid mtn phone number and click on “Submit now”

3
 afolabiemmanuel49@gmail.com

3. At this point, the web application will send an OTP code to the phone number you
inputed and you should be confronted with a page asking for the OTP code, now enter a
wrong OTP code, a code different from the code sent to the phone number, before
Clicking on the “Validate OTP” button, Intercept the request before it gets to the web
server, highlight the value of the otp parameter as shown in the screenshot below i used
“1000”, highlight the whole value and right click on the request and “Send to Turbo
Intruder”

4. Set the path of the wordlist to be used to bruteforce with, the path for my own wordlist is
at “/root/Desktop/Afolic/Programs/MTN/4digits.txt”, the 4digits.txt file is a text file which I
created that contains all the possible combination of 4 digits

4
 afolabiemmanuel49@gmail.com

5. Then click on the Attack button below.

6. I will be attaching a video for a better proof of concept to better demostrate how I found
and exploited this vulnerability
“​https://drive.google.com/open?id=16v6NytozaHaqDh3-Ewvps0ezqOSpIAlv​”

IMPACT
Brute forcing this OTP takes less than 3 minutes and with this OTP an attacker can login to the
account of any mobile number they choose and perform activities on that account as they wish
say like adding a secondary phone number and basically an activity and the most interesting
part of this web application is after logging once I remained logged in even if I shutdown my PC
till I decide to log out of that account