2FA Bypass Techniques — Only Checklists

Hello all, I’m Surendiran and it’s my 1st write-up.

I have made this write-up very simple, it will be very helpful while testing. Before going into techniques, refer to the blog mentioned below for more information. I hope you love this.

Disclaimer: Techniques mentioned here are collected from the internet. All credit goes to the respective persons.

// Actually In this write-up I have only mentioned various 2FA bypass techniques. I have not explained in detail, so refer to the links below.

Reference links:

1. https://shahmeeramir.com/4-methods-to-bypass-two-factor-authentication-2b0075d9eb5f

2. https://kishanchoudhary.com/2fa/bypass.html

3. https://gauravnarwani.com/two-factor-authentication-bypass/

4. https://medium.com/@vbharad/2-fa-bypass-via-csrf-attack-8f2f6a6e3871

5. https://twitter.com/hackerscrolls/status/1256276376019230720

— — — — — — — — — — — — — — — — — — — — — — — — — —

Bypassing two-factor authentication

Saturday, December 21, 2019

7:05 PM

1. Bypassing 2fa using conventional session management

This method is about bypassing the two-factor authentication mechanism using password reset functions. In almost all web applications the password reset function automatically logs the user into the application after the reset procedure is completed

Go to Change Password > Request Password Reset Token > Use Password Reset token > Login to the web application

— — — — — — — — — — — — — — — — — — — — — — — — — —

2. Bypassing 2fa Via OAuth mechanism ( Mostly not Applicable one )

As it is observed that in this process flow there is no intervention of 2fa. An attacker can potentially abuse this mechanism and utilize an OAuth integration to log into the web application rather than using the username and password to do so (Shah, 2014).

Note:

For this bypass to work the attacker must have access to the OAuth integration account to log in on behalf of the user

Site.com requests Facebook for OAuth token > Facebook verifies user account > Facebook send callback code > Site.com logs a user in

LIMITATIONS:

Mostly it will not be accepted. There are rare cases some companies may accept it.

— — — — — — — — — — — — — — — — — — — — — — — — — —

3. Bypassing 2fa via brute force

Usually, the length of the 2fa code is 4 to 6 characters which often a number, and that makes to a possibility 151,800 which in a real-world scenario is easily brute force able using a normal computer

(NO RATE LIMITING)

— — — — — — — — — — — — — — — — — — — — — — — — — —

4. Bypassing 2fa using race conditions (RARE)

An attacker can utilize previously used or unused values of tokens to verify the device. However, this technique requires the attacker to have access to the previously generated values, which can be done via reversing the algorithm of the code generation app or intercepting a previously known code.

— — — — — — — — — — — — — — — — — — — — — — — — — —

5. Bypassing 2fa using response manipulation

Enter correct OTP -> Intercept & capture the response -> logout -> enter wrong OTP -> Intercept & change the response with successful previous response -> logged in

— — — — — — — — — — — — — — — — — — — — — — — — — —

6. Bypassing 2fa using Activation link (RARE)

Able to login with an activation link ( Activation link is vulnerable and token not expiring)

— — — — — — — — — — — — — — — — — — — — — — — — — —

7. Bypassing 2fa in password reset page

Go the password reset page with the password reset link

Want to read this story later? Save it in Journal.

No RATE LIMIT in 2FA

— — — — — — — — — — — — — — — — — — — — — — — — — —

8. Bypassing 2fa using backup code request & response (Try your logic kinds of stuff)

I quickly moved to the backup code generation part. So at the account setting page, the following sample API request is used to get back up codes.

So the above API request fired in 2nd case of session scenario (defined above) since we are logged in to account. Now, what if we fire the same API request using 1st session scenario i.e. when the user provides valid email and password but not 2FA code.

So I quickly logged out and logged in again with valid email and password. As expected bountyplease.com redirected me to the 2FA page. This time I provided the wrong OTP code and captured the request and made the following two changes in request -

1. Replace the original Destination to POST /API/totp_auth HTTP/1.1 2. Replace the original parameters to {“action”:”backup_codes”,”clusterNum”:”000",”accountId”:”test123",”email”:”test123@gmail.com”}

And in response, I got all the backup codes. Now the attacker can put these backup codes at 2FA place and get into the victim’s account.

— — — — — — — — — — — — — — — — — — — — — — — — —

9. Bypassing 2fa via CSRF attack on disable 2FA

For Discovering the bug I have tried to Disable 2FA using the CSRF file. But I have seen that there is token is generated in the CSRF POC. But when I tried this HTML file that token is never get expired. This token is used again and again to disable 2FA on another Account.

Note: Always try to Disable 2FA using CSRF Attack.

Signup for two account -> Login into attacker account & capture the disable 2FA request -> generate CSRF POC with .HTML extension -> Login into victim account and fire the request — — -> It disable 2FA which leads to 2FA Bypass.

— — — — — — — — — — — — — X— — — — — — — — — — — —

!!! I know this write-up is not a complete/effective one with all the details. Next time I will do a complete write-up for each finding.

:)

PDF link: https://github.com/surendirans7777/Write-up

Thanks,

Surendiran S

📝 Save this story in Journal.

👩‍💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.