Abusing Two Factor Authentication

3 years ago 177
BOOK THIS SPACE FOR AD
ARTICLE AD

Pratikxor

Two-Factor Authentication (2FA) is sometimes called multiple-factor authentication. … Adding one more step of authenticating your identity makes it harder for an attacker to access your data. This drastically reduces the chances of fraud, data loss, or identity theft.

You can read more about 2Fa here

Hello Hackers & Enthusiasts X0rby7e here, In this article, I am going to write How-to abuse 2FA for Critical vulnerability. let’s see more about the 2Fa and how to Bypass it.

Methods that I covered and I used to test when I got an endpoint of 2FA

Lack of Rate LimitsLogical FlowsSession Management

Lack of Rate Limits -

1.1 Lack of Rate Limit to Verify OTP -

Capture the request in the burp suite where the web application Asking for OTP. Now Bruteforce using intruder brute-force for the OTP. The valid OTP response back 200 OK or it depends on scenarios. simply observe the length for checking valid one.

1.2 No Rate Limit to send OTP -

Capture the request in the burp suite where the web application sends the OTP to the User. Now simply repeat the same request 100 to 200 times via intruder in resulting application sends OTP in responding the requests. Impact — if the Target Org is using paid SMS system like some amount per SMS that it will be a Loss to the organization.

3.3 Bypass Rate Limit based on a cookie, IP, session-

Observe the request and try to bypass the restrictions which they using for rate limiting. IPRotate is one of the best extension of the burp suite which is useful to do the same

Logical Flaws-

2.1 Old OTP is Still valid

OTP is associated with Token after refreshing a new OTP associated with new Token but old 1 is still valid

2.2 OTP Can be used by another user

check for whether another user is logged in via the same OTP.

2.3 OTP is leaking in response

Capture the requests in Burp suite and check the response of every request, sometimes the OTP is leaking in the header, try to change the request in resulting OTP is exploring in error. Add .json at the end of the request in resulting the OTP is disclosing in response [Not in all cases]

2.4 Account Lockout

The application locks the account after several attempts.

2.5 Playing with OTP

There is an application that allowed me to log in with OTP 0000, in that case, 0000 is acting as a master key.

Session Manegements-

3.1 Lack of session Invalidation

Create a user id and login to the same user in 2 different browsers now in 1st browser activate the 2FA and check the 2nd browser session is still valid or not. If that is valid or not logged out the user then there is a lack of Session Invalidation After activation of 2FA.

3.2 Lack of 2FA on Password Change

If 2FA is activated then the Change Password functionality is Protected by 2FA.

That's all about abusing 2 Factor Authentication

If you enjoyed reading the article do clap and follow on Medium and Instagram.

Read Entire Article