Open in app

Sign in

Write

Sign in

Faraoney
4 min readApr 14, 2024

2FA BYPASS

Bypassing two-factor authentication

Flawed two-factor verification logic Sometimes flawed logic in two-factor authentication means that after a user has completed the initial login step, the website doesn’t adequately verify that the same user is completing the second step For example, the user logs in with their normal credentials in the first step as follows:

POST /login-steps/first HTTP/1.1 Host: medium.com/@faraoney077

username=faraoney077&password=faraone

They are then assigned a cookie that relates to their account, before being taken to the second step of the login process:

HTTP/1.1 200 OK Set-Cookie: account=faraoney077

GET /login-steps/second

HTTP/1.1 Cookie: account=faraoney077

When submitting the verification code, the request uses this cookie to determine which account the user is trying to access:

POST /login-steps/second HTTP/1.1

Host: medium.com/@faraoney077

Cookie: account=faraoney077

verification-code=077077

In this case, an attacker could log in using their own credentials but then change the value of the account cookie to any arbitrary username when submitting the verification code

POST /login-steps/second HTTP/1.1

Host: medium.com/@faraoney077

Cookie: account=victim-user

verification-code=077077

Response Manipulation

1. Check Response of the 2FA Request.

2. If you Observe “Success”:false

3. Change this to “Success”:true and see if it bypass the 2FA

Status Code Manipulation

1. If the Response Status Code is 4XX like 401, 402, etc.

2. Change the Response Status Code to “200 OK” and see if it bypass the 2FA

CSRF on 2FA Disable Feature

1. Request a 2FA code and use it

2. Now, Re-use the 2FA code and if it is used successfully that’s an issue.

3. Also, try requesting multiple 2FA codes and see if previously requested Codes expire or not when a new code is requested

4. Also, try to re-use the previously used code after long time duration say 1 day or more. That will be an potential issue as 1 day is enough duration to crack and guess a 6-digit 2FA code

Backup Code Abuse

Apply same techniques used on 2FA such as Response/Status Code Manipulation, Brute-force, etc. to bypass Backup Codes and disable/reset 2FA

2FA Refer Check Bypass

  1. Directly Navigate to the page which comes after 2FA or any other authenticated page of the application.
  2. If there is no success, change the refer header to the 2FA page URL. This may fool application to pretend as if the request came after satisfying 2FA Condition

2FA Code Leakage in Response

  1. At 2FA Code Triggering Request, such as Send OTP functionality, capture the Request.
  2. 2. See the Response of this request and analyze if the 2FA Code is leaked.

JS File Analysis

  1. while triggering the 2FA Code Request,
  2. Analyze all the JS Files that are referred in the Response
  3. to see if any JS file contain information that can help bypass 2FA code.

Password Reset/Email Change — 2FA Disable

1. Assuming that you are able to perform email change or password reset for the victim user or make victim user do it by any means possible

2. 2FA is disabled after the email is changed or password is reset. This could be an issue for some organizations. However, depends on case by case basis.

Missing 2FA Code Integrity Validation

1. Request a 2FA code from Attacker Account.

2. Use this valid 2FA code in the victim 2FA Request and see if it bypass the 2FA Protection.

Direct Request

1. Directly Navigate to the page which comes after 2FA or any other authenticated page of the application.

2. See if this bypasses the 2FA restrictions.

3. try to change the **Referrer header** as if you came from the 2FA page.

Reusing token

1. Maybe you can reuse a previously used token inside the account to authenticate.

Leaked Token

1. Is the token leaked on a response from the web application?????

Session permission

  1. Using the same session start the flow using your account and the victim’s account.
  2. When reaching the 2FA point on both accounts,
  3. complete the 2FA with your account but do not access the next part.
  4. Instead of that, try to access the next step with the victim’s account flow.
  5. If the back-end only set a boolean inside your sessions saying that you have successfully pass

Enable 2FA without verifying the email I able to add 2FA to my account without verifying my email Attack scenario :

Attacker sign up with victim email (Email verification will be sent to victim email). Attacker able to login without verifying email. Attacker add 2FA.

Password not checked when disabling 2FA PoC

1- go to your account and activate the 2FA from /settings/auth

2- after active this option click on Disabled icon beside Two-factor authentication.

3- a new window will open asking for Authentication or backup code — Password to confirm the disa

4- in the first box enter a valid Authentication or backup code and in the password filed enter a

5- the option will be disabled successful without check the validation of the password.

Our article ended here. Thank you for reading. For communication : https://www.linkedin.com/in/cihan-dik-134a6223a/

Faraoney

Written by Faraoney

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams