2FA / OTP
Last updated
Was this helpful?
Last updated
Was this helpful?
Business logic - If the user is first prompted to enter a password, and then prompted to enter a verification code on a separate page, the user is effectively in a "logged in" state before they have entered the verification code. In this case, it is worth testing to see if you can directly skip to "logged-in only" pages after completing the first authentication step. Occasionally, you will find that a website doesn't actually check whether or not you completed the second step before loading the page.
Sometimes flawed logic in two-factor authentication means that after a user has completed the initial login step, the website doesn't adequately verify that the same user is completing the second step.
This is extremely dangerous if the attacker is then able to brute-force the verification code
Payload - Bruteforcer
Response:
Decoded Cookie:
Craft a session cookie to bypass OTP
In account 1, go to the "Forgot Password" field and enter the email address to reset the password. Once done, an OTP (One-Time Password) will be generated and sent to the email.
Enter the correct OTP and copy the response.
Now, in account 2, enter the victim's email address and click "Forgot Password". The OTP will be sent to the victim's email (account 2).
Then, enter a random OTP, for example 1111
(a random OTP, knowing that OTPs can vary between 4 and 6 digits).
Intercept the request sent to the server.
Modify the response of this request and replace the random OTP with the correct OTP you obtained in step 2.