.png)
4 months ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
2FA bypass through response manipulation
Two-Factor Authentication (2FA) serves as a robust shield against unauthorized access. However, during a recent engagement in a RVDP, I found a critical vulnerability that allows an attacker to bypass 2FA using response manipulation.
Below are the steps that led to bypass 2FA:
I logged-in as a normal user and enabled 2FA for that accountNext, I logged out and logged-in again with login credentialsThen I entered the wrong OTP and captured that response to that request as shown below4. The response had 401 Unauthorized and the body had wrong OTP message
5. I manipulated the response code to 200 OK and replaced the body with the content of valid OTP
6. That’s it, with this I was able to bypass the 2FA of that account.
And to confirm if it has really bypassed the 2FA, after logging in I disabled the 2FA, logged out and then logged in again and this time it didn’t asked for a 2FA code to be entered.
Bengali (Bangladesh) · 
English (United States) ·