Description
Try here to find the flag
Setup
Launch Burp Suite Community Edition (or your preferred MITM proxy) and its embedded browser.
Browse to the provided URL (http://titan.picoctf.net:<PORT_FROM_INSTANCE>/) through the proxy.
http://titan.picoctf.net:<PORT_FROM_INSTANCE>/Solution
Walk me through it- Step 1Register with dummy dataFill out the first form with any values and submit. This leads to the OTP verification page.
Learn more
Burp Suite is an industry-standard web application security testing platform made by PortSwigger. Its core feature is an intercepting proxy that sits between your browser and the target server, letting you read, pause, and modify every HTTP/HTTPS request and response in real time.
When you use Burp's embedded Chromium browser, all traffic is automatically routed through the proxy without any certificate trust issues. This is the fastest way to get started, since configuring an external browser to trust Burp's self-signed CA can take extra steps.
In real-world penetration testing, the registration step is always done first so you have a valid session to work with. Even throwaway credentials give the server enough state to present the next attack surface - in this case, the OTP form.
- Step 2Intercept the OTP submission and mangle the field nameTurn Intercept ON in Burp's Proxy tab, enter any value in the OTP field, and submit. In the captured request body you will see otp=999 (or whatever you typed). Change the field name from otp to something like otgp so the parameter is otgp=999. The server-side code never finds the otp field, skips the check, and grants access.bash
(Intercepted request body) ...&otgp=999&...Learn more
Mangling the field name is a different bypass from clearing the value. Here the server-side OTP check looks up a specific parameter name (
otp). When you rename it tootgp, the lookup returns null or an empty string, and if the server code does not enforce that the field was present with a non-null value, it skips the check entirely and grants access.This is why proxy interception bypasses any client-side validation: the browser's JavaScript runs its checks before submission, but Burp captures the request after JS has signed off, sitting between your browser and the server. You can mutate the body freely; the server only sees your modified request.
This is called an OTP bypass and is a well-documented class of authentication vulnerability. Related bugs include accepting any OTP value, not expiring OTPs after use, or not rate-limiting brute-force attempts.
- Intercept mode in Burp pauses each request so you can edit the raw body or headers before forwarding.
- The
otp=parameter appears in the POST body inapplication/x-www-form-urlencodedformat. - Renaming the field tests whether the server validates that the specific named field was provided at all.
- Step 3Forward the tampered requestForward the modified request to the server. Because the otp field name is missing, the server skips the OTP check and the response contains the flag immediately.
Learn more
Forwarding in Burp sends the (now modified) HTTP request to the actual server and lets you see the real response. When authentication logic is missing an empty-value check, the server returns whatever is normally shown after successful verification - in this challenge, the flag.
This attack demonstrates why server-side validation is essential. Client-side checks (JavaScript that prevents form submission with an empty field) are trivially bypassed by any proxy tool. The server must independently verify that the OTP field is present, non-empty, and matches the expected value.
In production systems, robust OTP implementations use time-based algorithms (TOTP, RFC 6238) and enforce server-side expiration and attempt limits, making this type of bypass impossible.
Flag
picoCTF{#0TP_Bypvss_SuCc3$S_3e3d...}
Tampering with the OTP parameter yields the flag immediately.