2FA / OTP
Last updated
Last updated
Lack of rate limiting in combination with predictable and/or short tokens
Check if:
You can re-use the same old token or provide none at all
You can re-use any of the backup tokens
The token is not tied to the session
Set up 2 test accounts. Log in with the first and save the 2FA token, next login with the second token and use the 2FA token that you saved from your first test account.
The token is anywhere exposed in the HTTP response
Any tokens for testing and development purposes such as "0000", "1111" or "123456" are still accepted in production
Business logic - If the user is first prompted to enter a password, and then prompted to enter a verification code on a separate page, the user is effectively in a "logged in" state before they have entered the verification code. In this case, it is worth testing to see if you can directly skip to "logged-in only" pages after completing the first authentication step. Occasionally, you will find that a website doesn't actually check whether or not you completed the second step before loading the page.
Sometimes flawed logic in two-factor authentication means that after a user has completed the initial login step, the website doesn't adequately verify that the same user is completing the second step.
This is extremely dangerous if the attacker is then able to brute-force the verification code
Payload - Bruteforcer
Response:
Decoded Cookie:
Craft a session cookie to bypass OTP
If there is a parameter responsible for enforcing the rate limit, send the request with an empty value for this parameter
In some cases, when the user requests a new password, this functionality also automatically disables 2FA for that particular account. This can also be done even before a new password has been set.
Just initiating a new password reset action would disable 2FA, allowing us to bypass multi-factor authentication.
In account 1, go to the "Forgot Password" field and enter the email address to reset the password. Once done, an OTP (One-Time Password) will be generated and sent to the email.
Enter the correct OTP and copy the response.
Now, in account 2, enter the victim's email address and click "Forgot Password". The OTP will be sent to the victim's email (account 2).
Then, enter a random OTP, for example 1111 (a random OTP, knowing that OTPs can vary between 4 and 6 digits).
Intercept the request sent to the server.
Modify the response of this request and replace the random OTP with the correct OTP you obtained in step 2.
The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.
