2FA
Last updated
Was this helpful?
Last updated
Was this helpful?
Was this helpful?
1. Request 2FA code and capture this request.
2. Repeat this request for 100-200 times and if there is no limitation set, that's a rate limit issue.
3. At 2FA Code Verification page, try to brute-force for valid 2FA and see if there is any success.
4. You can also try to initiate, requesting OTPs at one side and brute-forcing at another side. Somewhere the OTP will match in middle and may give you a quick result
5. try bypass rate limit protection by changing the subdomain in host header
-----------
1. go to the 2FA page
2. Click on the "Resend code" Button
3. Capture this request
4. Resend it 50 times
Impact: You won't be able to bypass the 2FA but you will be able to waste the company's money.
----------
# no rate limit after reset password
1. A user sends a password reset message to user's registered email.
2. Go to "Password Reset" page from #1's message.
3. Set a new password and Brute force two-factor auth code
- <https://hackerone.com/reports/1060518>
- <https://hackerone.com/reports/121696>
1. Request a 2FA code from Attacker Account.
2. Use this valid 2FA code in the victim 2FA Request and see if it bypasses the 2FA Protection.
1. Check if you can get the token from your account and try to use it to bypass the 2FA in a different account.
1. Directly Navigate to the page which comes after 2FA or any other authenticated page of the application.
2. See if this bypasses the 2FA restrictions.
3. try to change the Referrer header as if you came from the 2FA page.
1. Using the same session start the flow using your account and the victim's account.
2. When reaching the 2FA point on both accounts.
3. complete the 2FA with your account but do not access the next part.
4. Instead of that, try to access the next step with the victim's account flow.
5. If the back-end only set a Boolean inside your sessions saying that you have successfully passed the 2FA you will be able to bypass the 2FA of the victim.
Sometimes you can configure the 2FA for some actions inside your account (change mail, password...).
However, even in cases where there is a rate limit when you tried to log in, there isn't any rate limit to protect actions inside the account.
1. Use burp suite or another tool to intercept the requests
2. Turn on and configure your MFA
3. Login with your email and password
4. The page of MFA is going to appear
5. Enter any random number
6. when you press the button "sign in securely" intercept the request POST auth.target.com/v3/api/login and in the POST message change the fields: "mode":"sms" by "mode":"email" "secureLogin":true by "secureLogin":false
send the modification and check, you are in your account! It was not necessary to enter the phone code.
<https://hackerone.com/reports/665722>
Site.com requests Facebook for OAuth token > Facebook verifies user account > Facebook sends callback code > Site.com logs a user in without requesting 2fa code
<https://hackerone.com/reports/178293>
enter 2 wrong attempts in a short time
this may leads to bypass the 2FA process
<https://hackerone.com/reports/1747978>
1. Open Your BurpSuite and Turn on the intercept
2. Go To 2Factor Authentication page click the red buttons "Disable two factor ...."
3. Put any wrong password and copy all the header
4. Go to repeater and make a POST request to <https://localizestaging.com/api/user/two-factor/set> also Paste the header here.
5. add a body request like this method=sms&phone=%2B62-hacker-phone-number then click GO
6. Bypassed !
<https://hackerone.com/reports/783258>
Apply same techniques used on 2FA such as Response/Status Code Manipulation, Brute-force, etc. to bypass Backup Codes and disable/reset 2FA
Backup codes are generated immediately after 2FA is enabled and are available on a single request. After each subsequent call to the request, the codes can be regenerated or remain unchanged (static codes).
If there are CORS misconfigurations/XSS vulnerabilities and other bugs that allow you to “pull” backup codes from the response request of the backup code endpoint, then the attacker could steal the codes and bypass 2FA if the username and password are known.
- <https://hackerone.com/reports/113953>
- <https://hackerone.com/reports/100509>
1. Check when u try to disable 2FA there is no identity confirmation methods like 2fa code otr password
-------------------------------------
1. go to your account and activate the 2FA from /settings/auth
2. after activating this option click on the Disable icon beside Two-factor authentication.
3. a new window will open asking for Authentication or backup code - Password to confirm the disabled
4. in the first box enter a valid Authentication or backup code and in the password filed enter any random/wrong password and click save.
5. the option will be disabled successful without check the validation of the password.
<https://hackerone.com/reports/587910>
1. Try to Iframe the page where the application allows a user to disable 2FA
2. If Iframe is successful, try to perform a social engineering attack to manipulate victim to fall in your trap.