BOOK THIS SPACE FOR AD
ARTICLE ADTwo-Factor Authentication (2FA) is sometimes called multiple-factor authentication. … Adding one more step of authenticating your identity makes it harder for an attacker to access your data. This drastically reduces the chances of fraud, data loss, or identity theft.
You can read more about 2Fa here
Hello Hackers & Enthusiasts X0rby7e here, In this article, I am going to write How-to abuse 2FA for Critical vulnerability. let’s see more about the 2Fa and how to Bypass it.
Methods that I covered and I used to test when I got an endpoint of 2FA
Lack of Rate LimitsLogical FlowsSession ManagementLack of Rate Limits -
1.1 Lack of Rate Limit to Verify OTP -
Capture the request in the burp suite where the web application Asking for OTP. Now Bruteforce using intruder brute-force for the OTP. The valid OTP response back 200 OK or it depends on scenarios. simply observe the length for checking valid one.
1.2 No Rate Limit to send OTP -
Capture the request in the burp suite where the web application sends the OTP to the User. Now simply repeat the same request 100 to 200 times via intruder in resulting application sends OTP in responding the requests. Impact — if the Target Org is using paid SMS system like some amount per SMS that it will be a Loss to the organization.
3.3 Bypass Rate Limit based on a cookie, IP, session-
Observe the request and try to bypass the restrictions which they using for rate limiting. IPRotate is one of the best extension of the burp suite which is useful to do the same
Logical Flaws-
2.1 Old OTP is Still valid
OTP is associated with Token after refreshing a new OTP associated with new Token but old 1 is still valid
2.2 OTP Can be used by another user
check for whether another user is logged in via the same OTP.
2.3 OTP is leaking in response
Capture the requests in Burp suite and check the response of every request, sometimes the OTP is leaking in the header, try to change the request in resulting OTP is exploring in error. Add .json at the end of the request in resulting the OTP is disclosing in response [Not in all cases]
2.4 Account Lockout
The application locks the account after several attempts.
2.5 Playing with OTP
There is an application that allowed me to log in with OTP 0000, in that case, 0000 is acting as a master key.
Session Manegements-
3.1 Lack of session Invalidation
Create a user id and login to the same user in 2 different browsers now in 1st browser activate the 2FA and check the 2nd browser session is still valid or not. If that is valid or not logged out the user then there is a lack of Session Invalidation After activation of 2FA.
3.2 Lack of 2FA on Password Change
If 2FA is activated then the Change Password functionality is Protected by 2FA.
That's all about abusing 2 Factor Authentication
If you enjoyed reading the article do clap and follow on Medium and Instagram.