2FA / OTP

Methods

2FA BypassSecurity Cipher

Session Manipulation

Response:

Set-Cookie: SESSID=QlZOWEY3MTIzNDcyNA==

Decoded Cookie:

BVNXF71234724

Craft a session cookie to bypass OTP

OTP Bypass through Session ManipulationMedium

Bruteforce OTP with Turbo Intruder

Bypassed the OTP verification process using “Turbo Intruder” Extension.Medium

Reset Password

• In account 1, go to the "Forgot Password" field and enter the email address to reset the password. Once done, an OTP (One-Time Password) will be generated and sent to the email.

• Enter the correct OTP and copy the response.

• Now, in account 2, enter the victim's email address and click "Forgot Password". The OTP will be sent to the victim's email (account 2).

• Then, enter a random OTP, for example 1111 (a random OTP, knowing that OTPs can vary between 4 and 6 digits).

• Intercept the request sent to the server.

• Modify the response of this request and replace the random OTP with the correct OTP you obtained in step 2.