2FA / OTP
Methods
Bruteforce
Lack of rate limiting in combination with predictable and/or short tokens
Weak 2FA Tokens
Check if:
You can re-use the same old token or provide none at all
You can re-use any of the backup tokens
The token is not tied to the session
Set up 2 test accounts. Log in with the first and save the 2FA token, next login with the second token and use the 2FA token that you saved from your first test account.
The token is anywhere exposed in the HTTP response
Any tokens for testing and development purposes such as "0000", "1111" or "123456" are still accepted in production
2FA Simple Bypass
Business logic - If the user is first prompted to enter a password, and then prompted to enter a verification code on a separate page, the user is effectively in a "logged in" state before they have entered the verification code. In this case, it is worth testing to see if you can directly skip to "logged-in only" pages after completing the first authentication step. Occasionally, you will find that a website doesn't actually check whether or not you completed the second step before loading the page.
Flawed two-factor verification logic
Sometimes flawed logic in two-factor authentication means that after a user has completed the initial login step, the website doesn't adequately verify that the same user is completing the second step.
POST /login-steps/second HTTP/1.1
Host: vulnerable-website.com
Cookie: account=victim-user
...
verification-code=123456This is extremely dangerous if the attacker is then able to brute-force the verification code
Payload - Bruteforcer
Session Manipulation
Response:
Set-Cookie: SESSID=QlZOWEY3MTIzNDcyNA==Decoded Cookie:
BVNXF71234724Craft a session cookie to bypass OTP
Rate limiting bypass
If there is a parameter responsible for enforcing the rate limit, send the request with an empty value for this parameter
Bruteforce OTP with Turbo Intruder
wfuzz -d '{"email":"hacker@email.com", "otp":"FUZZ","password":"NewPassword1"}' -H 'Content-Type: application/json' -z file,/usr/share/wordlists/SecLists-master/Fuzzing/4-digits-0000-9999.txt -u http://crapi.apisec.ai/identity/api/auth/v2/check-otp --hc 500Reset Password
2FA disable
In some cases, when the user requests a new password, this functionality also automatically disables 2FA for that particular account. This can also be done even before a new password has been set.
Just initiating a new password reset action would disable 2FA, allowing us to bypass multi-factor authentication.
Modify Response
In account 1, go to the "Forgot Password" field and enter the email address to reset the password. Once done, an OTP (One-Time Password) will be generated and sent to the email.
Enter the correct OTP and copy the response.
Now, in account 2, enter the victim's email address and click "Forgot Password". The OTP will be sent to the victim's email (account 2).
Then, enter a random OTP, for example
1111(a random OTP, knowing that OTPs can vary between 4 and 6 digits).Intercept the request sent to the server.
Modify the response of this request and replace the random OTP with the correct OTP you obtained in step 2.
Interesting Books
Interesting BooksThe Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.
Resources
Last updated