2 FA Bypassing Methods & Techniques
Bypassing Two-Factor Authentication:
Authentication is the process of attempting to verify the digital identity of the sender of a communication in computer security. The log-on process is a common example of such a process. Understanding how the authentication process works and using that knowledge to circumvent the authentication mechanism is what testing the authentication schema entails.
In this section, I will demonstrate some methods for bypassing two-factor authentication.
Test Purposes
- Make sure authentication is used by all services that need it.
This includes all types of problems that fall under the category of security misconfiguration, including a lack of rate limits, a lack of brute-force defense, etc.
1. Ask for a 2FA code and record the request.
2. If there is no restriction specified and you repeat this request 100–200 times, you have a rate limit issue.
3. Attempt a brute-force search for a valid 2FA on the 2FA Code Verification page to check whether you are successful.
4. You can also attempt to begin by brute-forcing at one end while requesting OTPs at the other. The OTP will match somewhere in the middle and could provide you with a quick answer.
Password Reset/Email Change — 2FA Disable
1. Assuming you are able to change the victim user’s email address or password or force the victim user to do so using any legal methods.
2. After changing the email address or resetting the password, 2FA is disabled. There may be a problem with this for some organizations. However, it varies from instance to case.
To test whether the 2FA Protection is bypassed, enter this working 2FA code into the victim’s 2FA request.
2FA Code Integrity Validation is missing
- Request a two-factor authentication code from Attacker Account.
Direct Request
1. Navigate directly to the page that appears after 2FA or any other authenticated page of the application.
2. Check to see if this gets around the 2FA restrictions.
2FA Code Leakage in Response
1. Capture the Request at 2FA Code Triggering Request, such as Send OTP functionality.
2. Examine the response to this request to see if the 2FA Code has been leaked.
Clickjacking on 2FA DisableFeature
1. Attempt to Iframe the page where the app allows the user to disable 2FA.
2. If the Iframe is successful, try a social engineering attack to trick the victim into falling into your trap.
Response Manipulation
1. Examine the response to the 2FA Request.
2. If you notice “Success”: false
3. Change this to “Success”: true and see if the 2FA is bypassed.
Status Code Manipulation
1. Change the Response Status Code to “200 OK” and see if the 2FA is bypassed.
2. If the Response Status Code is 4XX, such as 401, 402, and so on.
2FA Code Reusability
- Request and use a 2FA code.
- Re-enter the 2FA code, and if it is successful, you have a problem.
3. Request multiple 2FA codes to see if previously requested codes expire when a new code is requested.
4. Also, after a long period of time, say a day or more, try to reuse the previously used code. This could be a problem because one day is enough time to crack and guess a 6-digit 2FA code.
CSRF on 2FA Disable Feature
1. Go to the 2FA page, click Disable, and then capture this request with Burp Suite and generate a CSRF PoC.
2. Send this PoC to the victim user and see if CSRF occurs successfully and the 2FA is removed from the victim account.
3. Before disabling 2FA, see if any authentication confirmation is required, such as a password or 2FA code.
Backup Code Abuse
To bypass Backup Codes and disable/reset 2FA, use the same techniques used on 2FA, such as Response/Status Code Manipulation, Brute-force, and so on.
Enabling 2FA Doesn’t Make Previous Sessions Expire
1. Open the application in two browsers and enable 2FA from the first session.
2. Use the second session, and if it has not expired, there may be an issue if there is an insufficient session expiration issue. In this scenario, if an attacker hijacks an active session before 2FA, all functions are available without the need for 2FA.
2FA Refer Check Bypass
1. Navigate directly to the page that appears after 2FA or any other authenticated page of the application.
2. If the first attempt fails, change the refer header to the 2FA page URL. This may fool the application into thinking the request came after satisfying the 2FA condition.
Thank you for reading Subscribe to see Live POC of bypassing Technique.