Medium The OTP/request verification endpoint does not enforce rate limiting, allowing attackers to flood the system with repeated OTP requests.
Impact:
– Denial of service
– OTP exhaustion
– Increased operational cost
| Vulnerability Name | Vulnerable URL | CVE/CWE | CVSS Score | Overall Risk (Severity) |
Observation / Description | Impact | Recommendation | Reference | Steps to reproduce |
| https://uatamrit.piramalswasthya.org/common-api/beneficiaryConsent/sendConsent | OTP Flooding | CWE-799 | 6.5 | Medium | OTP (One-Time Password) flooding is a type of security vulnerability that occurs when an attacker attempts to send a large number of OTPs to a target user in a short period of time, in an attempt to overwhelm the user and prevent them from accessing their account. OTP is a security mechanism that is commonly used to verify the identity of users during the authentication process. When a user attempts to log in, a one-time code is sent to their registered phone number or email address. The user then enters this code to complete the authentication process. In an OTP flooding attack, the attacker sends a large number of OTPs to the target user's phone number or email address, causing their phone or inbox to become overwhelmed with messages. This can prevent the user from receiving the legitimate OTP necessary to access their account. |
An attacker can bruteforce for a particular username and can get a possibly an account takeover, As there is no rate limit set to login that may also lead to user enumeration. | To prevent OTP flooding vulnerabilities, organizations can implement the following measures: Rate-limit OTP requests: Implement rate-limiting controls to prevent multiple OTP requests from the same source in a short period of time. This can help prevent the user's phone or inbox from being overwhelmed with messages. Implement CAPTCHA or other anti-bot measures: Implement additional security measures, such as CAPTCHA or other anti-bot measures, to prevent automated scripts from flooding the user's phone or inbox with OTPs. Educate users about phishing and social engineering attacks: Educate users about the risks of phishing and social engineering attacks, and how to recognize and report suspicious messages. By implementing these measures, organizations can reduce the risk of OTP flooding attacks and better protect their users from account takeover and other security threats. |
https://owasp.org/API-Security/editions/2019/en/0xa4-lack-of-resources-and-rate-limiting/ | Step 1: During security assessment we captured the login page request into Burpsuite. After that we sent that request to intruder for bruteforce attack. Then it was concluded that it was possible to bruteforce as there was no rate limit mechanism implemented for OTP. |
