hi hi,

I have a challenge for myself: to get an OTP by offline brute-force with kali & burpsuite. The objective is the instagram iOS app but with a difficulty, only my device is the one that had the session initiated from the account, and therefore access to request the OTP.

Don’t wanna know how, only if the effort can be worthy or if is a dead end

The idea would be to simulate that the request is from my device, intercept the request to try local brute-force, and send only the real request. Do you think is doable or shouldn't I even try? Insta have a good rate limitting or can you have a chance somehow?

for the token hijacking someone did me, instagram didn't take it so seriously so I don't know how they work with this validations hahahahaha

viable? thanks! (script kiddie insults allowed)