.png)
1 year ago
73 BOOK THIS SPACE FOR AD
ARTICLE AD2FA simple bypass - PortSwigger Lab Walkthrough
Follow me for more such content as it keeps me motivated for writing such detailed walk-through.
I will walk you through bypassing an insecurely coded 2FA protection in today's lab.
Lab 7 - 2FA Simple Bypass
Level: Apprentice
Description of Lab:
This lab’s two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user’s 2FA verification code. To solve the lab, access Carlos’s account page.
Your credentials: wiener:peter
Victim’s credentials carlos:montoya
We can see that we are provided with our credentials and the credentials of the victim user. And after starting the lab, at the top, there’ an email client button which provides us the emails for our account (this is where we’ll receive our verification code).
Let’s now log in with our credentials.
We’re now being asked for a verification code which is to be found in the email client. Let’s look it up.
Now here’s the verification code which we need to use for logging in.
Enter the code in the previous website and we’re inside our account.
Notice how the URL changed from
https://subdomain.web-security-academy.net/login2 to
https://subdomain.web-security-academy.net/my-account
Now we will do this manually for the victim account when we reach login2 page.
Let’s now change the login2 to my-account in the URL.
And we’re done bypassing a simple poorly coded 2FA protection
Follow me for more such content as it keeps me motivated for writing such detailed walk-through.
Bengali (Bangladesh) · 
English (United States) ·