Download nill ethical hacking and more Summaries Physical education in PDF only on Docsity!
⚠ 2FA BYPASS ⚠
Bypassing two-factor authentication
[ ] Flawed two-factor verification logic Sometimes flawed logic in two-factor authentication means that
after a user has completed the initial login step, the website doesn't adequately verify that the same user
is completing the second step For example, the user logs in with their normal credentials in the first step
as follows:
POST /login-steps/first HTTP/1. Host: vulnerable-website.com ... username=carlos&password=qwerty
They are then assigned a cookie that relates to their account, before being taken to the second step of
the login process:
HTTP/1.1 200 OK
Set-Cookie: account=carlos GET /login-steps/second HTTP/1. Cookie: account=carlos
When submitting the verification code, the request uses this cookie to determine which account the user
is trying to access:
POST /login-steps/second HTTP/1. Host: vulnerable-website.com Cookie: account=carlos ... verification-code=123456`
In this case, an attacker could log in using their own credentials but then change the value of the
account cookie to any arbitrary username when submitting the verification code.
POST /login-steps/second HTTP/1. Host: vulnerable-website.com Cookie: account=victim-user ... verification-code=
[ ] Clickjacking on 2FA Disable Feature
- Try to Iframe the page where the application allows a user to disable 2FA
- If Iframe is successful, try to perform a social engineering attack to manipulate victim to
[ ] Response Manipulation
- Check Response of the 2 FA Request.
- If you Observe "Success":false
- Change this to "Success":true and see if it bypass the 2 FA
[ ] Status Code Manipulation
- If the Response Status Code is 4 XX like 401 , 402 , etc.
- Change the Response Status Code to "200 OK" and see if it bypass the 2 FA
[ ] 2FA Code Reusability
- Request a 2 FA code and use it
- Now, Re-use the 2 FA code and if it is used successfully that's an issue.
- Also, try requesting multiple 2 FA codes and see if previously requested Codes expire or not wh
- Also, try to re-use the previously used code after long time duration say 1 day or more. That
[ ] CSRF on 2FA Disable Feature
- Request a 2 FA code and use it
- Now, Re-use the 2 FA code and if it is used successfully that's an issue.
- Also, try requesting multiple 2 FA codes and see if previously requested Codes expire or not when a new code is requested
- Also, try to re-use the previously used code after long time duration say 1 day or more. That will be an potential issue as 1 day is enough duration to crack and guess a 6 -digit 2 FA code
[ ] Backup Code Abuse
Apply same techniques used on 2 FA such as Response/Status Code Manipulation, Brute-force, etc. to bypass Backup Codes and disable/reset 2 FA
[ ] Enabling 2FA Doesn't Expire Previous Session
- Login to the application in two different browsers and enable 2 FA from 1 st session.
- Use 2 nd session and if it is not expired, it could be an issue if there is an insufficient session expiration issue. In this scenario if an attacker hijacks an active session before 2 FA, it is possible to carry out all functions without a need for 2 FA
[ ] 2FA Refer Check Bypass
- Directly Navigate to the page which comes after 2FA or any other authenticated page of the application.
- If there is no success, change the refer header to the 2FA page URL. This may fool application to pretend as if the request came after satisfying 2FA Condition
[ ] 2FA Code Leakage in Response
- At 2 FA Code Triggering Request, such as Send OTP functionality, capture the Request.
- See the Response of this request and analyze if the 2 FA Code is leaked.
[ ] JS File Analysis
- while triggering the 2 FA Code Request,
- Analyze all the JS Files that are referred in the Response
- Instead of that, try to access the next step with the victim's account flow.
- If the back-end only set a boolean inside your sessions saying that you have successfully pass
[ ] Password reset function
- In almost all web applications the **password reset function automatically logs the user into
- Check if a mail is sent with a link to reset the password and if you can reuse
[ ] Lack of Rate limit
Is there any limit on the number of codes that you can try, so you can just brute force it? Be ca
[ ] Flow rate limit but no rate limit
In this case, there is a flow rate limit (you have to brute force it very slowly: 1 thread and so
[ ] Re-send code and reset the limit
There is a rate limit but when you "resend the code" the same code is sent and the rate limit is
[ ] Client side rate limit bypass
{% content-ref url="rate-limit-bypass.md" %} rate-limit-bypass.md {% endcontent-ref %}
[ ] Lack of rate limit in the user's account
Sometimes you can configure the 2 FA for some actions inside your account (change mail, password..
[ ] Lack of rate limit re-sending the code via SMS
You won't be able to bypass the 2FA but you will be able to waste the company's money.
[ ] Infinite OTP regeneration
If you can generate a new OTP infinite times, the** OTP is simple enough** ( 4 numbers), and y
[ ] Guessable cookie
If the "remember me" functionality uses a new cookie with a guessable code, try to guess it.
[ ] IP address
If the "remember me" functionality is attached to your IP address, you can try to figure out the
[ ] Subdomains
If you can find some "testing" subdomains with the login functionality, they could be using old v
[ ] APIs
If you find that the 2 FA is using an API located under a /v*/ directory (like "/v3/"), this proba
[ ] Previous sessions
When the 2 FA is enabled, previous sessions created should be ended. This is because when a client
[ ] Improper access control to backup codes
Backup codes are generated immediately after 2 FA is enabled and are available on a single request
[ ] Information Disclosure
If you notice some confidential information appear on the 2 FA page that you didn't know previousl
[ ] Bypass 2FA with null or 000000
[ ] Previously created sessions continue being valid after MFA activation
1 access the same account on https://account.grammarly.com in two devices 2 on device 'A' go to https://account.grammarly.com/security > complete all steps to activate the Now the 2 FA is activated for this account 3 back to device 'B' reload the page The session still active
[ ] Enable 2FA without verifying the email I able to add 2FA to my account without verifying my email
Attack scenario : Attacker sign up with victim email (Email verification will be sent to victim email). Attacker able to login without verifying email. Attacker add 2 FA.
[ ] Password not checked when disabling 2FA
PoC 1 - go to your account and activate the 2 FA from /settings/auth 2 - after active this option click on Disabled icon beside Two-factor authentication. 3 - a new window will open asking for Authentication or backup code - Password to confirm the disa