0x04e - About OTP Authentication Checks

[Saket-taneja]

Thank you for submitting a Pull Request to the Mobile Security Testing Guide. Please make sure that:

• Your contribution is written in the 2nd person (e.g. you)
• Your contribution is written in an active present form for as much as possible.
• You have made sure that the reference section is up to date (e.g. please add sources you have used, make sure that the references to MITRE/MASVS/etc. are up to date)
• Your contribution has proper formatted markdown and/or code
• Any references to website have been formatted as [TEXT](URL “NAME”)
• You verified/tested the effectiveness of your contribution (e.g.: is the code really an effective remediation? Please verify it works!)

If your PR is related to an issue. Please end your PR test with the following line:
This PR closes #< insert number here >.

[TheDauntless]

Thanks for the PR, @Saket-taneja

While I understand what you are trying to say, I don't know if this is the right place to do it. This section is about a backend enforcing 2FA, after which it will provide new information to the user (e.g. sensitive data). In your case, if the server simply returns true/false, it would mean that the sensitive information is already stored locally, or that there is client-side validation; both of which are already covered in the MASVS/MSTG.

Your recommendation also wouldn't fix the problem. If you say "> The application should always pass user token or some dynamic information related to the user to prevent the attack", then the backend could still simply return true / false and you would still be 'vulnerable' or at least have the same issue.

As I mentioned in #1939, it's best to first open an issue so that we can have a discussion on the merit of the addition.

[cpholguera]

I agree with @TheDauntless, and please don't hesitate to raise issues whenever you feel that something's missing or incomplete. If something is already covered or not applicable we can save you the effort of working on PRs. Thanks @Saket-taneja :)

[Saket-taneja]

@TheDauntless The case which i have enlisted over here also entails that in many of the cases , the application is configured in a way that server returns only true/false when 2fa is enabled.There are numerous reports on hackerone and bugcrowd you can refer that.The solution to almost all of them is that they all were using static responses and should be avoided.

CC : @cpholguera

[cpholguera]

Hi @Saket-taneja, could you please provide a couple of links to those reports? We'll take a look and if needed we'll open an issue for this.

[Saket-taneja]

@cpholguera Some of the Guides and links i am sharing over here

https://medium.com/@AGNIHACKERS/otp-bypass-through-response-manipulation-beeb467359d8

https://securiumsolutions.com/blog/how-hacker-bypass-otp-verification-schema/

https://kathan19.gitbook.io/howtohunt/authentication-bypass/otp_bypass

https://cobalt.io/blog/bypassing-the-protections-mfa-bypass-techniques-for-the-win

[Saket-taneja]

@cpholguera Hey Buddy any updates on this ?

[cpholguera]

Hi @Saket-taneja, thanks for reaching out! We'll address more PRs in the upcoming year. As you might know we're in the middle of a big refactoring for the MASVS which will extend to the MSTG. We were also improving our pipelines so that we can release more often. Thanks for your patience and congratulations for making it to our list of New Contributors! 🎉

[cpholguera]

Hi @Saket-taneja, thanks a lot for your PR and sorry for the late response from our side. We had to give more priority to the MASVS refactoring process and we are still working on it.

Here are a couple of suggested changes, if you like them you can click on the button "Commit suggestion" and they'll be integrated. Thanks a lot for the PR and for your patience!

[cpholguera]

Thanks a lot @Saket-taneja for your contribution and your patience. We're ready to go!