← All case studies
Fintech

OTP Flooding Attack on Payment Gateway

SeverityCRITICAL
IndustryFintech
FindingNo rate limiting on /verify-otp endpoint — 10,000 req/min brute force possible across all accounts
MethodManual + automated penetration testing
OutcomeDirect path to account takeover on any user account. Financial fraud risk on linked payment instruments. Regulatory risk under RBI digital payment guidelines. Remediated within 48 hours — rate limiting (5 attempts per 10 minutes), account lockout after 10 failures, and CAPTCHA on repeated attempts implemented and retested.
The finding
No rate limiting on /verify-otp endpoint — 10,000 req/min brute force possible across all accounts

Technical detail

During a web application VAPT engagement for a Series B fintech startup, ThreatRiX identified the OTP verification endpoint at /api/v2/verify-otp had no rate limiting, no lockout mechanism, and no progressive delay.

By sending automated requests, an attacker could brute-force a 6-digit OTP (1,000,000 combinations) in under 2 minutes at 10,000 req/min — targeting any registered phone number on the platform, including payment accounts.

The finding was classified CRITICAL under CVSS v3.1 (CVSS Score: 9.3) due to the direct path to account takeover and financial fraud.

Business impact & resolution
Direct path to account takeover on any user account. Financial fraud risk on linked payment instruments. Regulatory risk under RBI digital payment guidelines. Remediated within 48 hours — rate limiting (5 attempts per 10 minutes), account lockout after 10 failures, and CAPTCHA on repeated attempts implemented and retested.

Remediation

The development team implemented three controls: (1) rate limiting at 5 OTP attempts per 10-minute window per phone number, enforced at the API gateway layer; (2) progressive lockout — 30-minute cooldown after 10 failures; (3) CAPTCHA challenge after 3 consecutive failures. ThreatRiX retested all three controls within 24 hours of deployment and confirmed remediation.

Could this happen to your application?

Run a free scan on your domain — see what ThreatRiX finds in 60 seconds.