How to bypass a 2FA with a HTTP header

Yumi
Yumi
Apr 26, 2019 · 3 min read

Hi everyone and welcome back on this new write-up.

Today, I would like to talk about a vulnerability I found on some programs that allowed me to bypass their 2FA protections. On a side note, due to the fact that the programs are private, all the informations about the websites will be redacted. That’s said, let’s start !

Introduction:

As many hunters, when I start my research on a new bug bounty program, I use the application as a lambda user. This allow me to understand how the applications work and notice which features can be interesting to test. I noticed that the applications had a 2FA feature, I enabled it and I started to play with it.

For those who are not familiar with the concept of 2FA (Two-factor authentication), this can be defined by:

Two-factor authentication (2FA) is a way to add additional security to your account. The first “factor” is your usual password that is standard for any account. The second “factor” is a verification code retrieved from an app on a mobile device or computer. (Wikipedia)

Image for post
Image for post
Illustration by DoubleOctopus

In a 2FA protection, the verification code is usually an integer between 4 and 6 digits. This mean that the number of combinations for each case is:

  • 4 digits: 10⁴ → 10.000 combinations
  • 6 digits: 10⁶ → 1.000.000 combinations

In both cases, due to the low numbers of combinations, the 2FA code can be brute-forced (especially for 4 digits verification code). With those informations in mind, a 2FA should absolutely have a strong rate limit to not be easily bypassable.

In the case of the applications I tested, they had a rate limit in place to avoid any kind of brute-force attack against the Two-factor authentication feature.

The bypass:

To be efficient, a rate limit need to be well implemented. I started to search if this limit could be bypassed. My first thought was to search on which value the rate limit was based. I tested the following parameters:

  • User email address
  • Session cookies

Strangely, none of this parameter had an impact on the rate limit in place. After few minutes, I remembered a report by corb3nik. He was able to bypass a rate limit on Dashlane bug bounty program with the help of the X-Forwarded-For HTTP header.

According to MDN Web Docs:

Image for post
Image for post

I tested to bypass the rate limit a new time by adding a X-Forwarded-For header to the HTTP request and I was surprised by the fact that the applications accepted my request.

With this issue an attacker could brute-force the Two-factor authentication by using the X-Forwarded-For header when his request will be blocked.

Conclusion:

A rate limit is a solid way to increase the security of your web-application. Nevertheless, they need to be well implemented to be efficient. In the case of a Two-factor authentication feature, the rate limit shouldn’t be based on an information that could be manipulated by the user via the HTTP request.

I hope you enjoyed this reading !

Yumi

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store