search

2FA / OTP

https://xmind.ai/share/ph6inJpwarrow-up-right

hashtag
Methods

Logo2FA BypassSecurity Cipherchevron-right
LogoBug-Bounty-Methodology/2FA.md at main · tuhin1729/Bug-Bounty-MethodologyGitHubchevron-right

hashtag
Bruteforce

Lack of rate limiting in combination with predictable and/or short tokens

hashtag
Weak 2FA Tokens

Check if:

  • You can re-use the same old token or provide none at all

  • You can re-use any of the backup tokens

  • The token is not tied to the session

Set up 2 test accounts. Log in with the first and save the 2FA token, next login with the second token and use the 2FA token that you saved from your first test account.

  • The token is anywhere exposed in the HTTP response

  • Any tokens for testing and development purposes such as "0000", "1111" or "123456" are still accepted in production

hashtag
2FA Simple Bypass

Business logic - If the user is first prompted to enter a password, and then prompted to enter a verification code on a separate page, the user is effectively in a "logged in" state before they have entered the verification code. In this case, it is worth testing to see if you can directly skip to "logged-in only" pages after completing the first authentication step. Occasionally, you will find that a website doesn't actually check whether or not you completed the second step before loading the page.

hashtag
Flawed two-factor verification logic

Sometimes flawed logic in two-factor authentication means that after a user has completed the initial login step, the website doesn't adequately verify that the same user is completing the second step.

This is extremely dangerous if the attacker is then able to brute-force the verification code

Payload - Bruteforcer

hashtag
Session Manipulation

Response:

Decoded Cookie:

Craft a session cookie to bypass OTP

LogoOTP Bypass through Session ManipulationMediumchevron-right

hashtag
Rate limiting bypass

If there is a parameter responsible for enforcing the rate limit, send the request with an empty value for this parameter

LogoThe $12,000 2FA Bypass — So Simple, Yet So Critical!Mediumchevron-right

hashtag
Bruteforce OTP with Turbo Intruder

LogoBypassed the OTP verification process using “Turbo Intruder” Extension.Mediumchevron-right

hashtag
Reset Password

hashtag
2FA disable

In some cases, when the user requests a new password, this functionality also automatically disables 2FA for that particular account. This can also be done even before a new password has been set.

Just initiating a new password reset action would disable 2FA, allowing us to bypass multi-factor authentication.

hashtag
Modify Response

  • In account 1, go to the "Forgot Password" field and enter the email address to reset the password. Once done, an OTP (One-Time Password) will be generated and sent to the email.

  • Enter the correct OTP and copy the response.

  • Now, in account 2, enter the victim's email address and click "Forgot Password". The OTP will be sent to the victim's email (account 2).

  • Then, enter a random OTP, for example 1111 (a random OTP, knowing that OTPs can vary between 4 and 6 digits).

  • Intercept the request sent to the server.

  • Modify the response of this request and replace the random OTP with the correct OTP you obtained in step 2.

hashtag
Interesting Books

Interesting Bookschevron-right
circle-info

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

hashtag
Resources

LogoBroken authentication: 7 Advanced ways of bypassing insecure 2-FA implementationsIntigritichevron-right
PreviousSAMLNextPassword Reset

Last updated