Skip to content
No description, website, or topics provided.
PHP Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This repository contains the application which will give you the hackable demo environment of OTP Application. You can use your hack technique on this application. Also the scope of this application is very small right now, its just focuses on OTP hack techniques, also you may encounter some XSS scnerios and more which you can ignore them or you can exploit those for getting more view (but those are out of scope).


The stage includes simple method as well as a little difficult method. One of the stage includes IP Blocking.


  1. You have to give you Gmail Username credentials. For now you need to give your credentials 2 times, in in different satges i.e. 1 & 2. I am working on it will updates this soon.

  2. You may face some error like below (535, b'5.7.8 Username and Password not accepted. Below is the Solution.

You need to activate Less secure apps in your accounts. Below is the link which will take you on that way.

  1. I tested this application on the PHP server like below
    x:\> cd otp_vulnerable_app
    x:\otp_vulnerable_app\> php -S ip:port You need to remain open until you are testing.

  2. If somehow you are not getting the OTP you may need to debug file which you may needs a some python knowledge.

Working Environment

Python 2.7/Python 3X Can be Windows, Linux. In linux I didn't try but I am sure it will run.


If I got a good reaction on this application then I will work more on this to create more vulnerables stages with more advance features. If you want to work with me then DM me right away.


If you encounter any issues please let me know. And also if you have any suggestion regarding this application like how we can create it more advance or something else like any code related, I would really like to hear it.

And don't forget to send me a feedback.


Twitter agrawalsmart7

You can’t perform that action at this time.