2FA Bypass on private bug bounty program due to CSRF token misconfiguration
This is my first blog on web application security. In this I will share the first of many 2FA bypasses that I found on private bug bounty programs.
I won’t be disclosing the program name due to program policy but this website is a financial institute so 2FA is crucial for them.
Lets call the program redacted.com with 2FA enabled in the account we login.
- First I captured the login request which has an authentication_token parameter passed in the body as show below.
- Now we delete the authentication_token and forward the login request.
- The application will return the following error response with the URL redacted.com/login
- Here I changed the URL to redacted.com/edit and hit enter. The application redirected me to account settings page without 2FA prompt and I was able to access every single page inside the account.
Here there was a CSRF token misconfiguration which allowed the user to login with a valid session before validating 2FA code and thus I was able to successfully bypass 2FA.
Hope you guys learnt something new, have a good day. 😃