High Severity
🟠 OTP Brute Force / Prediction
🧠 Description
One-Time Passwords (OTP) can be brute forced due to lack of rate limiting, or predicted if the OTP generation algorithm is weak (e.g., time-based with low entropy).
Impact: Account Takeover, 2FA Bypass, Financial Fraud
🎯 Attack Surface
- SMS/Email OTP verification
- TOTP (Google Authenticator) endpoints
- Backup codes
- Password reset OTP
⚡ Exploitation Techniques
- Brute force 4-6 digit OTPs (10000-1000000 combinations)
- Race condition: send multiple OTPs simultaneously
- Timing attack: analyze response times
- OTP leakage in referrer/URL
🛡️ Mitigation
✅ Lock account after 5-10 failed OTP attempts
✅ Implement rate limiting per session/IP
✅ Use 8+ digit OTPs with high entropy
✅ Add friction (delay, CAPTCHA) after failures
✅ Use HMAC-based TOTP (not time-only)
✅ Implement rate limiting per session/IP
✅ Use 8+ digit OTPs with high entropy
✅ Add friction (delay, CAPTCHA) after failures
✅ Use HMAC-based TOTP (not time-only)