Bypassed the OTP verification process using “Turbo Intruder” Extension.

Sabuj Kumar Modak
2 min readMay 20, 2024


Today, in this article, we will explore methods and techniques that have been used to bypass OTP.

OTP Verification Process

Step1: I started my attack on this website let’s say

You have to know OTP length: The length of the OTP affects the number of possible combinations. For example, a 6-digit OTP has 1,000,000 possible combinations (from 000000 to 999999). Knowing the length helps the attacker understand the complexity and the number of attempts required to guess the OTP.

  • You have to know OTP validity time: OTPs are typically valid for a short period, often ranging from 30 seconds to a few minutes. Knowing the exact validity period helps the attacker time their attempts more effectively, ensuring they use the OTP within its active window.
  • You have to know wrong attempt limits: Systems often limit the number of incorrect attempts before temporarily locking the account or requiring additional verification. Knowing the number of allowed incorrect attempts (e.g., three wrong tries before lockout) helps the attacker plan their strategy to avoid detection and lockout.


Capture the Payment Request:

  • Open Burp Suite and start the proxy listener.
  • Perform the payment action on your web application. This could be filling out a payment form and submitting it.
  • Burp Suite will intercept the request. You can view this in the “Proxy” tab under the “HTTP history” section.

Send the Request to Turbo Intruder:

  • Right-click on the captured payment request in the HTTP history.
  • Select Extensions > Turbo Intruder > Send to Turbo Intruder.

Before sending the request to Turbo Intruder, you entered the incorrect OTP.

Replace otp=328129 to otp=%s:

Step3: Write python script and start attack

def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,

for number in range(327129,338129):
engine.queue(target.req, number)

def handleResponse(req, interesting):
if req.status != 404:

To check the status code, length, arrival time, and other parameters.

If you enjoyed it please do clap & let’s collaborate.






Sabuj Kumar Modak

Software QA Engineer | Cybersecurity Enthusiast | VAPT | CTF Player @4GUn7uk