Multi-Factor Authentication Bypass
At times, the implementation of two-factor authentication is flawed to the point where it can be bypassed entirely.
If the user is first prompted to enter a password, and then prompted to enter a verification code on a separate page, the user is effectively in a “logged in” state before they have entered the verification code. In this case, it is worth testing to see if you can directly skip to “logged-in only” pages after completing the first authentication step. Occasionally, you will find that a website doesn’t actually check whether or not you completed the second step before loading the page.
Exploitation
This lab’s two-factor authentication can be bypassed. We have already obtained a valid username and password carlos:montoya, but we do not have access to the user’s 2FA verification code. We are going to bypass the 2fa to access Carlos’s account page.
Let’s login with his credentials carlos:montoya.
As you can see we have been prompted to enter 4 digit code for 2fa. We will refresh the page and then intercept the request in burpsuite.
We will change the url to the url of user’s profile my-account to see if we can bypass it.
Nice!, We have logged in as carlos