Description
Try here to find the flag
Setup
Launch Burp Suite Community Edition (or your preferred MITM proxy) and its embedded browser.
Browse to the provided URL (http://titan.picoctf.net:<PORT_FROM_INSTANCE>/) through the proxy.
http://titan.picoctf.net:<PORT_FROM_INSTANCE>/Solution
- Step 1Register with dummy dataFill out the first form with any values and submit. This leads to the OTP verification page.
Learn more
Burp Suite is an industry-standard web application security testing platform made by PortSwigger. Its core feature is an intercepting proxy that sits between your browser and the target server, letting you read, pause, and modify every HTTP/HTTPS request and response in real time.
When you use Burp's embedded Chromium browser, all traffic is automatically routed through the proxy without any certificate trust issues. This is the fastest way to get started, since configuring an external browser to trust Burp's self-signed CA can take extra steps.
In real-world penetration testing, the registration step is always done first so you have a valid session to work with. Even throwaway credentials give the server enough state to present the next attack surface - in this case, the OTP form.
- Step 2Intercept the OTP submissionTurn Intercept ON in Burp, enter any OTP, and submit. In the captured request, locate the otp= parameter and remove the value so it reads simply otp=.
(Intercepted request body) ...&otp=&...Learn more
One-Time Passwords (OTPs) are typically generated server-side and then validated against what the user submits. A common implementation flaw is failing to handle the case where the submitted value is empty - the server compares an empty string against the expected OTP and, if poorly coded, may evaluate the check as truthy or skip validation entirely.
This is called an OTP bypass and is a well-documented class of authentication vulnerability. Related bugs include accepting any OTP value, not expiring OTPs after use, or not rate-limiting brute-force attempts.
- Intercept mode in Burp pauses each request, allowing you to edit the raw body or headers before forwarding.
- The
otp=parameter appears in the POST body inapplication/x-www-form-urlencodedformat. - Clearing the value tests whether the server validates that a non-empty OTP was actually provided.
- Step 3Forward the tampered requestForward the modified request to the server. Because the OTP is blank, the response contains the flag immediately.
Learn more
Forwarding in Burp sends the (now modified) HTTP request to the actual server and lets you see the real response. When authentication logic is missing an empty-value check, the server returns whatever is normally shown after successful verification - in this challenge, the flag.
This attack demonstrates why server-side validation is essential. Client-side checks (JavaScript that prevents form submission with an empty field) are trivially bypassed by any proxy tool. The server must independently verify that the OTP field is present, non-empty, and matches the expected value.
In production systems, robust OTP implementations use time-based algorithms (TOTP, RFC 6238) and enforce server-side expiration and attempt limits, making this type of bypass impossible.
Flag
picoCTF{#0TP_Bypvss_SuCc3$S_3e3d...}
Tampering with the OTP parameter yields the flag immediately.