Exploiting Race Conditions to break the OTP Authentication Mechanism in Web Applications

In the modern age, web applications have become a critical part of everyone’s life; every second they grant access to the digital world to hundreds of millions of people. This relevance required the implementation of authentication mechanisms that could help us identify the user, both for efficiency and security. One of the most employed strategies in this field nowadays is the use of 2-Factor Authentication (2FA) and, in particular, the adoption of One-Time Passwords (OTPs). Authentication mechanisms, however, have to be thoroughly developed because they are one of the most interesting – and thus – attacked points on the surface of an application. In this thesis, developed with the help of the security experts at HN Security, we will test the safety of the OTP-based authentication mechanisms by exploiting the often neglected web application’s vulnerability class known as Race Conditions. Starting from the newest discoveries on the subject, we created on the AWS Cloud a distributed infrastructure that allowed us to perform advanced testing on the OTP-based procedures widely adopted by the majority of web applications these days. The results of the testing phase also provided us with concrete proofs of our approach’s correctness, leading us to conclusions on the state of modern web application security and on suggestions regarding the implementation of the safety measures of the future.