2FA Bypass on private bug bounty program due to CSRF token misconfiguration

2 Factor Authentication Bypass

Hello Friends,

This is my first blog on web application security. In this I will share the first of many 2FA bypasses that I found on private bug bounty programs.

I won’t be disclosing the program name due to program policy but this website is a financial institute so 2FA is crucial for them.

Lets call the program redacted.com with 2FA enabled in the account we login.

  • First I captured the login request which has an authentication_token parameter passed in the body as show below.
  • Now we delete the authentication_token and forward the login request.
  • The application will return the following error response with the URL redacted.com/login
  • Here I changed the URL to redacted.com/edit and hit enter. The application redirected me to account settings page without 2FA prompt and I was able to access every single page inside the account.

Here there was a CSRF token misconfiguration which allowed the user to login with a valid session before validating 2FA code and thus I was able to successfully bypass 2FA.

Hope you guys learnt something new, have a good day. 😃

Thanks!!

--

--

--

Bug Bounty Hunter, Security Researcher https://hackerone.com/sharp488

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CyberVein Weekly Report 03/22/2021–03/26/2021

Book Writeup — HackTheBox

Lindquist and the scope of EU data protection law

Planet 49: On pre-checked tick-boxes and consent.

Get USDT for KYC

Two-Factor Authentication System

Join our bounty with Lon

Forecasting the Future: 7 Cyber Marketing Predictions to Shape the New Year

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sharat Kaikolamthuruthil

Sharat Kaikolamthuruthil

Bug Bounty Hunter, Security Researcher https://hackerone.com/sharp488

More from Medium

CRLF (%0D%0A) Injection

XSS Through File Upload [Attribute-Value]

Ways To Exploit JSON CSRF (Simple Explanation)

A Story of DOM XSS