nill ethical hacking, Summaries of Physical education

nill returen upload a performance declaration

Typology: Summaries

2013/2014

Available from 12/25/2025

kamalakannan-2
kamalakannan-2 🇮🇳

1 document

1 / 6

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
2FA BYPASS
Bypassing two-factor authentication
[ ] Flawed two-factor verification logic Sometimes flawed logic in two-factor authentication means that
after a user has completed the initial login step, the website doesn't adequately verify that the same user
is completing the second step For example, the user logs in with their normal credentials in the first step
as follows:
POST /login-steps/first HTTP/1.1
Host: vulnerable-website.com
...
username=carlos&password=qwerty
They are then assigned a cookie that relates to their account, before being taken to the second step of
the login process:
HTTP/1.1 200 OK
Set-Cookie: account=carlos
GET /login-steps/second HTTP/1.1
Cookie: account=carlos
When submitting the verification code, the request uses this cookie to determine which account the user
is trying to access:
POST /login-steps/second HTTP/1.1
Host: vulnerable-website.com
Cookie: account=carlos
...
verification-code=123456`
In this case, an attacker could log in using their own credentials but then change the value of the
account cookie to any arbitrary username when submitting the verification code.
POST /login-steps/second HTTP/1.1
Host: vulnerable-website.com
Cookie: account=victim-user
...
verification-code=123456
[ ] Clickjacking on 2FA Disable Feature
1. Try to Iframe the page where the application allows a user to disable 2FA
2. If Iframe is successful, try to perform a social engineering attack to manipulate victim to
[ ] Response Manipulation
1. Check Response of the 2FA Request.
2. If you Observe "Success":false
3. Change this to "Success":true and see if it bypass the 2FA
pf3
pf4
pf5

Partial preview of the text

Download nill ethical hacking and more Summaries Physical education in PDF only on Docsity!

⚠ 2FA BYPASS ⚠

Bypassing two-factor authentication

[ ] Flawed two-factor verification logic Sometimes flawed logic in two-factor authentication means that

after a user has completed the initial login step, the website doesn't adequately verify that the same user

is completing the second step For example, the user logs in with their normal credentials in the first step

as follows:

POST /login-steps/first HTTP/1. Host: vulnerable-website.com ... username=carlos&password=qwerty

They are then assigned a cookie that relates to their account, before being taken to the second step of

the login process:

HTTP/1.1 200 OK

Set-Cookie: account=carlos GET /login-steps/second HTTP/1. Cookie: account=carlos

When submitting the verification code, the request uses this cookie to determine which account the user

is trying to access:

POST /login-steps/second HTTP/1. Host: vulnerable-website.com Cookie: account=carlos ... verification-code=123456`

In this case, an attacker could log in using their own credentials but then change the value of the

account cookie to any arbitrary username when submitting the verification code.

POST /login-steps/second HTTP/1. Host: vulnerable-website.com Cookie: account=victim-user ... verification-code=

[ ] Clickjacking on 2FA Disable Feature

  1. Try to Iframe the page where the application allows a user to disable 2FA
  2. If Iframe is successful, try to perform a social engineering attack to manipulate victim to

[ ] Response Manipulation

  1. Check Response of the 2 FA Request.
  2. If you Observe "Success":false
  3. Change this to "Success":true and see if it bypass the 2 FA

[ ] Status Code Manipulation

  1. If the Response Status Code is 4 XX like 401 , 402 , etc.
  2. Change the Response Status Code to "200 OK" and see if it bypass the 2 FA

[ ] 2FA Code Reusability

  1. Request a 2 FA code and use it
  2. Now, Re-use the 2 FA code and if it is used successfully that's an issue.
  3. Also, try requesting multiple 2 FA codes and see if previously requested Codes expire or not wh
  4. Also, try to re-use the previously used code after long time duration say 1 day or more. That

[ ] CSRF on 2FA Disable Feature

  1. Request a 2 FA code and use it
  2. Now, Re-use the 2 FA code and if it is used successfully that's an issue.
  3. Also, try requesting multiple 2 FA codes and see if previously requested Codes expire or not when a new code is requested
  4. Also, try to re-use the previously used code after long time duration say 1 day or more. That will be an potential issue as 1 day is enough duration to crack and guess a 6 -digit 2 FA code

[ ] Backup Code Abuse

Apply same techniques used on 2 FA such as Response/Status Code Manipulation, Brute-force, etc. to bypass Backup Codes and disable/reset 2 FA

[ ] Enabling 2FA Doesn't Expire Previous Session

  1. Login to the application in two different browsers and enable 2 FA from 1 st session.
  2. Use 2 nd session and if it is not expired, it could be an issue if there is an insufficient session expiration issue. In this scenario if an attacker hijacks an active session before 2 FA, it is possible to carry out all functions without a need for 2 FA

[ ] 2FA Refer Check Bypass

  1. Directly Navigate to the page which comes after 2FA or any other authenticated page of the application.
  2. If there is no success, change the refer header to the 2FA page URL. This may fool application to pretend as if the request came after satisfying 2FA Condition

[ ] 2FA Code Leakage in Response

  1. At 2 FA Code Triggering Request, such as Send OTP functionality, capture the Request.
  2. See the Response of this request and analyze if the 2 FA Code is leaked.

[ ] JS File Analysis

  1. while triggering the 2 FA Code Request,
  2. Analyze all the JS Files that are referred in the Response
  1. Instead of that, try to access the next step with the victim's account flow.
  2. If the back-end only set a boolean inside your sessions saying that you have successfully pass

[ ] Password reset function

  1. In almost all web applications the **password reset function automatically logs the user into
  2. Check if a mail is sent with a link to reset the password and if you can reuse

[ ] Lack of Rate limit

Is there any limit on the number of codes that you can try, so you can just brute force it? Be ca

[ ] Flow rate limit but no rate limit

In this case, there is a flow rate limit (you have to brute force it very slowly: 1 thread and so

[ ] Re-send code and reset the limit

There is a rate limit but when you "resend the code" the same code is sent and the rate limit is

[ ] Client side rate limit bypass

{% content-ref url="rate-limit-bypass.md" %} rate-limit-bypass.md {% endcontent-ref %}

[ ] Lack of rate limit in the user's account

Sometimes you can configure the 2 FA for some actions inside your account (change mail, password..

[ ] Lack of rate limit re-sending the code via SMS

You won't be able to bypass the 2FA but you will be able to waste the company's money.

[ ] Infinite OTP regeneration

If you can generate a new OTP infinite times, the** OTP is simple enough** ( 4 numbers), and y

[ ] Guessable cookie

If the "remember me" functionality uses a new cookie with a guessable code, try to guess it.

[ ] IP address

If the "remember me" functionality is attached to your IP address, you can try to figure out the

[ ] Subdomains

If you can find some "testing" subdomains with the login functionality, they could be using old v

[ ] APIs

If you find that the 2 FA is using an API located under a /v*/ directory (like "/v3/"), this proba

[ ] Previous sessions

When the 2 FA is enabled, previous sessions created should be ended. This is because when a client

[ ] Improper access control to backup codes

Backup codes are generated immediately after 2 FA is enabled and are available on a single request

[ ] Information Disclosure

If you notice some confidential information appear on the 2 FA page that you didn't know previousl

[ ] Bypass 2FA with null or 000000

[ ] Previously created sessions continue being valid after MFA activation

1 access the same account on https://account.grammarly.com in two devices 2 on device 'A' go to https://account.grammarly.com/security > complete all steps to activate the Now the 2 FA is activated for this account 3 back to device 'B' reload the page The session still active

[ ] Enable 2FA without verifying the email I able to add 2FA to my account without verifying my email

Attack scenario : Attacker sign up with victim email (Email verification will be sent to victim email). Attacker able to login without verifying email. Attacker add 2 FA.

[ ] Password not checked when disabling 2FA

PoC 1 - go to your account and activate the 2 FA from /settings/auth 2 - after active this option click on Disabled icon beside Two-factor authentication. 3 - a new window will open asking for Authentication or backup code - Password to confirm the disa