I recently came across a web application where it was asking for an OTP after a successful login. Let the endpoint be https://www.example.com/otpcode
The initial test for a brute-force of the OTP resulted in a 400 Bad request. I tested for a race condition using the authentic OTP I received.
Let the OTP be 123456. I used the intruder facility in the Burpsuite with 50 null payloads and 50 threads. The OTP was accepted 3 times after the first use which in this case is not a good approach. Later testing with the race script available along with the turbointruder extension in Burpsuite gave me 30 successful validation for the OTP I received.
What is the security impact regardless of an insecure design principle? Is it possible to leverage this to bypass the rate-limiting while brute-forcing the OTP?
