Skip to content

Security Cipher

Menu
  • Home
  • Blog
  • Services
  • About Us
  • Resources
    • Security Tools
    • Penetration Testing Tricks
    • Security Terminologies
    • Vulnerability Explain
    • Secure Code Explain
    • AWS Cloud Security Checklist
    • Web Application Security Quiz
  • My Resume
Contact Us

Penetration Testing Tricks

  • Subdomain Enumeration Tools
  • Graphql [Inprogress]
  • 2FA Bypass
  • Captcha Bypass

Vulnerability Explain

  • Cross-Site-Scripting (XSS)
  • SQL Injection
  • Server-Side Request Forgery (SSRF)

Security Resources

  • Search Engines for Hackers
  • Browser Extensions
  • Out-of-Band Exfiltration Tools
  • Wordlists
  • Input Sanitization Techniques for Secure Coding
  • HTTP Security Headers

Secure Code Explain

  • Insecure Password Storage
  • Host Header Injection
  • SQL Injection
  • Session Fixation
  • Home
  • Docs
  • Penetration Testing Tricks
  • 2FA Bypass

2FA Bypass

Consider these techniques for bypassing 2FA implementation during penetration testing or bug bounty.

Method 1: Response Manipulation #

Intercept the response from the authentication request and modify the “success” field from “false” to “true” to bypass the 2FA check.

Original Response:

{
"success": false,
"message": "Authentication failed"
}

Edited Response: 

{
"success": true, 
"message": "Authentication failed"
}

Method 2: Status Code Manipulation #

Change the HTTP status code from a 4xx (indicating authentication failure) to a 200 OK status code to see if it allows access. This can trick the system into thinking the authentication was successful.

Original Response:

HTTP/1.1 401 Unauthorized
Content-Type: application/json 

{ 
"error": "Invalid credentials" 
}

Edited Response:

HTTP/1.1 200 OK
Content-Type: application/json

{
"error": "Invalid credentials"
}

Method 3: 2FA Code Leakage in Response #

Check the response of the 2FA Code Triggering Request to see if the 2FA code is leaked in the response body. If it is, it could be used to authenticate without going through the proper 2FA process.

HTTP/1.1 200 OK
Content-Type: application/json

{
"message": "Authentication successful",
"2fa_code": "123456"
}

Method 4: 2FA Code Reusability #

Generate a 2FA code and use it for authentication. Attempt to reuse the same 2FA code in a different session. Successful reuse may indicate a security vulnerability.

POST /authenticate
Content-Type: application/json

{
"username": "user123",
"2fa_code": "123456"
}

Method 5: JS File Analysis #

Assume you are testing a web application, and you suspect that a JavaScript file may contain information about the 2FA implementation.

Request:

GET /path/to/suspected-js-file.js HTTP/1.1
Host: example.com

Response:

HTTP/1.1 200 OK
Content-Type: application/javascript

// Sample JavaScript file
// This file may contain information about the 2FA implementation

var twoFactorEnabled = true;
var twoFactorMethod = "SMS";

function authenticateWith2FA() {
// Code for 2FA authentication
}

// ... Other JavaScript code ...

You can then further analyze the JavaScript code to determine if there are any vulnerabilities or issues related to the 2FA implementation.

Method 6: Lack of Brute-Force Protection #

Exploit the absence of rate limiting on the 2FA API to brute-force the 2FA code. Try various codes until you find the correct one. You can use Burps Suite’s Intruder tool for the same.

POST /2fa
Content-Type: application/json

{
"username": "user123",
"2fa_code": "123456"
}

Method 7: Missing 2FA Code Integrity Validation #

Exploit the absence of code integrity validation to check if you can use the same 2FA code for another user’s 2FA validation.

POST /authenticate
Content-Type: application/json

{
"username": "user123",
"2fa_code": "123456"
}

Method 8: CSRF on 2FA Disabling #

Take advantage of the absence of CSRF protection to disable 2FA without the user’s knowledge.

POST /disable-2fa
Content-Type: application/json

{
"disable": true
}

Method 9: Bypass 2FA using the “Remember me” functionality #

Attempt to bypass 2FA by using the “remember me” functionality, which may store 2FA information in a cookie, session, local storage, or IP address.

POST /authenticate
Content-Type: application/json

{
"username": "user123",
"remember_me": true
}

Method 10: Direct Request to Post Authenticated Page #

GET /authenticated-api

Directly hit an API that comes after 2FA or any authenticated page/API to see if it bypasses 2FA restrictions.

Method 11: 2FA Refer Check Bypass #

Navigate to an authenticated page and, if unsuccessful, change the Referer header to the 2FA page URL to trick the application into thinking the request came after satisfying 2FA.

GET /authenticated-page
Referer: https://example.com/2fa

Method 12: Sequential OTP Number #

Check if the OTPs generated are sequential, allowing you to predict the next OTP. This can be exploited if the system generates predictable OTPs.

Valid OTP Request 1:

POST /request-otp
Content-Type: application/json

{
"2fa": "500060"
}

Valid OTP Request 2:

POST /request-otp
Content-Type: application/json

{
"2fa": "500061"
}

Method 13: Remove the OTP Parameter #

Attempt to bypass 2FA by removing the OTP parameter from the request.

Original Request:

POST /validate-otp 
Content-Type: application/json 

{ 
"email": "user@email.com",
"2fa": "500061" 
}

Modified Request:

POST /validate-otp 
Content-Type: application/json 

{ 
"email": "user@email.com"
}

Method 14: Manipulate the OTP Parameter Values #

Try various manipulations of the OTP parameter to see if you can bypass 2FA.

POST /validate-otp 
Content-Type: application/json 
{
"2fa": "123456", // make it "2fa": ""
"2fa": "123456", // make it "2fa": "null"
"2fa": "123456", // make it "2fa": "true"
"2fa": "123456", // make it "2fa": null
"2fa": "123456", // make it "2fa": "00000"

Method 15: Password Reset/Email Change Disable 2FA #

After resetting the user’s password or changing their email, the 2FA might automatically be disabled, which could be exploited.

Method 16: Backup Code Abuse #

Attempt to use the Backup code feature to remove/reset 2FA restrictions. This might involve finding vulnerabilities in the handling of backup codes.

Method 17: Clickjacking on the 2FA Disabling Page #

Attempt to use clickjacking by iframing the 2FA disabling page and socially engineering the victim into disabling 2FA without their consent.

Method 18: Enabling 2FA doesn’t expire Previously active Sessions #

Exploit the behavior where enabling 2FA doesn’t expire previously active sessions, allowing unauthorized access to continue without 2FA.

Method 19: 2FA Code Validity #

  • Request multiple 2FA codes, and check if previously requested 2FA codes can be used to authenticate.
  • Request for MFA Code, wait for a longer time, and try using the same code; successful use may indicate a security vulnerability.

     

    Share This Article :
    • Facebook
    • Twitter
    • LinkedIn
    • Pinterest
    Graphql [Inprogress]

    Leave a Reply Cancel reply

    Table of Contents
    • Method 1: Response Manipulation
    • Method 2: Status Code Manipulation
    • Method 3: 2FA Code Leakage in Response
    • Method 4: 2FA Code Reusability
    • Method 5: JS File Analysis
    • Method 6: Lack of Brute-Force Protection
    • Method 7: Missing 2FA Code Integrity Validation
    • Method 8: CSRF on 2FA Disabling
    • Method 9: Bypass 2FA using the “Remember me” functionality
    • Method 10: Direct Request to Post Authenticated Page
    • Method 11: 2FA Refer Check Bypass
    • Method 12: Sequential OTP Number
    • Method 13: Remove the OTP Parameter
    • Method 14: Manipulate the OTP Parameter Values
    • Method 15: Password Reset/Email Change Disable 2FA
    • Method 16: Backup Code Abuse
    • Method 17: Clickjacking on the 2FA Disabling Page
    • Method 18: Enabling 2FA doesn't expire Previously active Sessions
    • Method 19: 2FA Code Validity
    logo name

    Learn penetration Testing …

    Instagram Twitter Youtube Telegram Linkedin

    Useful Links

    Blogs
    About
    Contact

    Recent Post

    • Top Recon Tools for Bug Bounty Hunters
    • Mastering WordPress Penetration Testing: A Step-by-Step Guide
    • Enhance WordPress Security: Comprehensive Guide

    Subscribe Now

    Don’t miss our future updates! Get Subscribed Today!

    Subscription Form

    By entering your email, you agree to our terms & Conditions and Privacy policy.

    ©2023. Security Cipher. All Rights Reserved.

    Privacy Policies
    Terms & Conditions