(English) 🚨 2FA Bypass | How Attackers Still Break Multi-Factor Authentication 🔓🔐

2FA BYPASS

Bypassing two-factor authentication

[] Flawed two-factor verification logic

Sometimes flawed logic in two-factor authentication means that after a user has completed the initial login step, the website does not adequately verify that the same user is completing the second step.

For example, the user logs in with their normal credentials in the first step:

POST /login-steps/first HTTP/1.1
Host: vulnerable-website.com
...
username=carlos&password=qwerty

They are then assigned a cookie that relates to their account, before being taken to the second step of the login process:

HTTP/1.1 200 OK
Set-Cookie: account=carlos

GET /login-steps/second HTTP/1.1
Cookie: account=carlos

When submitting the verification code, the request uses this cookie to determine which account the user is trying to access:

POST /login-steps/second HTTP/1.1
Host: vulnerable-website.com
Cookie: account=carlos
...
verification-code=123456

In this case, an attacker could log in using their own credentials but then change the value of the account cookie to any arbitrary username when submitting the verification code.

POST /login-steps/second HTTP/1.1
Host: vulnerable-website.com
Cookie: account=victim-user
...
verification-code=123456

[] Clickjacking on 2FA Disable Feature

1. Try to iframe the page where the application allows a user to disable 2FA.
2. If iframe is successful, try to perform a social engineering attack to manipulate victim to click.

[] Response Manipulation

1. Check response of the 2FA request.
2. If you observe "Success": false.
3. Change this to "Success": true and see if it bypasses the 2FA.

[] Status Code Manipulation

1. If the Response Status Code is 4XX like 401, 402, etc.
2. Change the Response Status Code to “200 OK” and see if it bypasses the 2FA

[] 2FA Code Reusability

1. Request a 2FA code and use it
2. Now, Re-use the 2FA code and if it is used successfully that’s an issue
3. Also, try requesting multiple 2FA codes and see if previously requested codes expire or not when a new one is generated. (Only the latest code should be valid; older ones should be invalidated.)
4. Also, try to re-use the previously used code after a long time duration, say 1 day or more. That code should already be expired and must not be accepted.

[] CSRF on 2FA Disable Feature

1. Request a 2FA code and use it
2. Now, Re-use the 2FA code and if it is used successfully that’s an issue 3.Also, try requesting multiple 2FA codes and see if previously requested codes expire or not when a new code is requested 4.Also, try to re-use the previously used code after long time duration (say 1 day or more). That will be a potential issue as 1 day is enough duration to crack and guess a 6-digit 2FA code

[] Backup Code Abuse

Apply same techniques used on 2FA such as Response/Status Code Manipulation, Brute-force, etc. to bypass Backup Codes and disable/reset 2FA

[] Enabling 2FA Doesn’t Expire Previous Session

1. Login to the application in two different browsers and enable 2FA from 1st session
2. Use 2nd session and if it is not expired, it could be an issue if there is an insufficient session expiration issue. In this scenario if an attacker hijacks an active session before 2FA, it is possible to carry out all functions without a need for 2FA

[] 2FA Refer Check Bypass

1. Directly navigate to the page which comes after 2FA or any other authenticated page of the application
2. If there is no success, change the refer header to the 2FA page URL. This may fool application to pretend as if the request came after satisfying 2FA condition

[] 2FA Code Leakage in Response

1. At 2FA Code Triggering Request, such as Send OTP functionality, capture the Request
2. See the Response of this request and analyze if the 2FA Code is leaked

[] JS File Analysis

1. While triggering the 2FA Code Request
2. Analyze all the JS Files that are referred in the Response