During a web application VAPT engagement for a Series B fintech startup, ThreatRiX identified the OTP verification endpoint at /api/v2/verify-otp had no rate limiting, no lockout mechanism, and no progressive delay.
By sending automated requests, an attacker could brute-force a 6-digit OTP (1,000,000 combinations) in under 2 minutes at 10,000 req/min — targeting any registered phone number on the platform, including payment accounts.
The finding was classified CRITICAL under CVSS v3.1 (CVSS Score: 9.3) due to the direct path to account takeover and financial fraud.
The development team implemented three controls: (1) rate limiting at 5 OTP attempts per 10-minute window per phone number, enforced at the API gateway layer; (2) progressive lockout — 30-minute cooldown after 10 failures; (3) CAPTCHA challenge after 3 consecutive failures. ThreatRiX retested all three controls within 24 hours of deployment and confirmed remediation.
Run a free scan on your domain — see what ThreatRiX finds in 60 seconds.