.png)
3 years ago
277 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Everyone , This is my first writeup
To People who don’t know me , I Sujay Hazra (m4ddy), This year complete my school journey, Learning penetration testing by day and bug hunter by night, Mainly love to find password reset functionality.
I hope you are all good. Hope you can learn something new. In this writeup is about how I bypass 2FA. I don’t have permission to disclosure target information so let’s call it example.com. So let’s start without wasting time.
It was a normal website. There is not so much functionality, You can create an account, log in, change password, etc. As always I create 2 accounts, as an attacker account and victim account. I noticed this website using password reset functionality is OTP based. Then I requested a password reset.
Then I type random OTP and capture the request on burp suite. And request send to intruder and try to brute force. Website firewall block my multiple request.
Then I used burp suite IP Rotate Extension(Extension for Burp Suite which uses AWS API Gateway to change your IP on every request). More information about IP Rotate Extension →https://github.com/portswigger/ip-rotate
And I successfully bypass 2FA
Then I immediately reported it. But this issue has already been reported by another user :(
I hope you have learned something new from it.
Well if you love this writeup drop a clap 👏(50X), let’s connect then:
Twitter: https://twitter.com/M4ddy_4
Instagram: https://www.instagram.com/m4ddy_4
Bengali (Bangladesh) · 
English (United States) ·