Hello Hackers,

Hope you guys Doing well and hunting lots of bugs and Dollars !

well, so for today we are going to talk about a very hot topic which is Multi-factor Authentication. Before jumping to this topic let’s understand some basic ideas about MFA.

What is Multi-factor Authentication?

This is also popular as Two-factor authentication (2FA ) which is also another way to verify your identity. Basically normally in single-factor authentication you just have to verify yourself by username and password to be authenticated. But for adding one more layer of security we use 2FA to verify the user twice. So that if anyhow attacker can get access to the username and password, he still requires one more way to verify his identity. This strengthens the security of the user’s account.

But it doesn’t mean that web application is completely secure by using 2FA, there are some methods to bypass it. so let’s start and learn how to look for bugs in this function.

Response Manipulation

In response, if “success”:false, change it to “success”:true

How to hunt :-

• Enter correct OTP
• Intercept & capture the response
• Then Logout
• Enter incorrect OTP
• Intercept & change the response with correct OTP response
• Then try to login

Status code manipulation

If Status Code is 4xx, try to change it to 200 OK and see if it bypass restrictions

How to Hunt:-

• Enter correct OTP
• Intercept & capture the response, look carefully to Status code
• then Logout
• Enter incorrect OTP
• Intercept & change the response with the correct OTP status code
• Then login

2FA code leakage in response

Sometimes the web application leaks the 2FA somewhere in the response body while initiating a request 2FA. It is always a good idea to read the response body and understand if there is any possible leakage that can lead to bypassing the MFA.

How to Hunt:-

• Request for 2FA code and intercept the request
• Analyze the response and see if the 2FA code is leaked or not

2FA code Re-usability

When the application doesn’t invalidate a previously used OTP and the expiration time-frame is considerable say 1 day. It can be abused by an attacker to brute-force or guess for a valid (even complex) OTP and bypass the restriction.

How to Hunt:-

• Request a 2FA code and Use it
• Now, try to re-use the same 2FA code and if it is used then you can consider it as a bug
• If it is not working then wait for a long duration and try to reuse it

Lack of Brute-force protection

A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.

Due to lack of brute force protection or rate-limiting, an attacker can perform brute force to guess the actual 2FA code.

How to Hunt:-

• capture the request at the 2FA verifying page
• Brute force the 2FA code
• Analyze the response
• you can also try the same while requesting a 2FA code

Direct request/Forceful browsing

This is the flaw of broken access control where the web application fails to check authorization, which allows the attacker to access resources that they should not be able to access just by giving the path of the exact resource.

How to Hunt:-

• Request Straight to the page which reaches after 2FA or any other authentication page of the application
• See this works or not

Backup code Abuse / Time-based One-Time Password

Backup codes are a number of one-time codes you can generate specifically for your account when you have 2FA enabled. you need the backup codes in case you want to log in to your account and cannot access the primary one-time code generator.

How to Hunt:-

• Apply all the techniques which we have used to bypass 2FA.

CSRF & clickjacking on 2FA disable Feature

you can perform CSRF or clickjacking to disable 2FA, if you can perform this then you can consider this as a vulnerability.

How to hunt:-

• sign up for two accounts. In which first are the attackers account and the second is Victim’s
• Log in to Attackers account and capture the Disable 2FA request in Burp suite and generate CSRF POC.
• Save the CSRF POC file with extension .HTML.
• Now log in to Victim’s account in the Private Browser and fire that CSRF file. Now you can see that It disables 2FA which leads to 2FA Bypass.

JS files analysis

Sometimes the application uses dynamic JavaScript files to store a copy of OTP, which is matched against the OTP received by the user to perform the check on the client-side and validate the user.

while triggering the 2FA code request, analyze all the js files that are included in the response to see if any JS file includes information that can support bypass the 2FA code.

Password & email change disable 2FA

How to Hunt:-

• If the web application somehow allow you to change your email or password do it in any way
• Then check 2FA is disabled after this or remain the same
• Sometimes 2FA is disabled after the password or email is changed, if it is happening then you can consider it as a vulnerability

2FA bypass by sending blank code

This is a failure in the null check of the entered code. In simple terms, the 2FA while logging in can be bypassed by sending a blank code. This could be because of the incorrect comparison of entered code with true code. A pre-validation (may be null check) before comparing the codes would fix the issue.

How to Hunt:-

• Capture the request where OTP is asked
• Remove the 2FA code or give a null value and forward the request

Enabling 2FA Doesn’t expire the Previous session

How to Hunt:-

• Log in to the application in two different browsers and enable 2FA from 1st session
• Use 2nd session and if it is not expired, it could be considered as vulnerability

Check these reports :-

That’s all about 2FA bypass, I have mentioned here some of my findings and all known open-source techniques.

Hope this is useful for you guys

Happy Hacking !