2FA Bypass, Bug Bounty Easy Wins ! ! Ultimate Guide
2024-1-17 22:50:10 Author: infosecwriteups.com(查看原文) 阅读量:25 收藏

ʏᴀꜱʜʜ

InfoSec Write-ups

it’s Yash Gurav from Pune, India! Today in this blog i am going include all the possible ways, tools and technique to bypass Multi-Factor Authentication & 2 Factor Authentication. So Enjoy Guys :D

Question : what is 2FA & MFA ?

2FA (Two-Factor Authentication) and MFA (Multi-Factor Authentication) are security measures used to protect online accounts. They require users to provide more than one form of identification before granting access.

In Simple Terms

  • 2FA typically involves two methods, often something you know (like a password) and something you have (like a code sent to your phone).
  • MFA goes beyond two factors and adds additional layers of authentication, such as something you are (biometrics like fingerprints) or something you possess (a smart card).

Bypass Technique

  • Response Manipulation : In response if “success”:false
    Change it to “success”:true
  • Status Code Manipulation : If Status Code is 4xx
    Try to change it to 200 OK and see if it bypass restrictions
  • 2FA Code Leakage in Response : Check the response of the 2FA Code Triggering Request to see if the code is leaked.
  • JS File Analysis : Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
  • 2FA Code Reusability : Same code can be reused
  • Lack of Brute-Force Protection : Possible to brute-force any length 2FA Code
  • Missing 2FA Code Integrity Validation : Code for any user account can be used to bypass the 2FA
  • CSRF on 2FA Disabling : No CSRF Protection on disabling 2FA, also there is no auth confirmation
  • Password Reset Disable 2FA : 2FA gets disabled on password change/email change
  • Backup Code Abuse : Bypassing 2FA by abusing the Backup code feature
    Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA reset restrictions
  • Clickjacking on 2FA Disabling Page : Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
  • Bypass 2fa using Null or 0000 : Enter the code 000000 or null to bypass 2FA protection.
  • forcefull browsing : lets suppose we enable 2fa on x.com and after entering the username:password we get the 2fa then we enter valid otp or code then we get into the website & location is x.com/home, so now we now after entering the 2fa code application send us to the /home path then now we can do 1. Enter the Username:Passowrd then Application shows us x.com/2fa change the /2fa to /home & Refresh it if application is not asking for 2FA code that means we successfully Bypass 2FA ! ! BINGO

Thanks for Reading This bolg

You Can Follow me on X & Linkedin :

www.linkedin.com/in/yashh-g

Thanks for Reading this blog See You Soon ;D


文章来源: https://infosecwriteups.com/2fa-mfa-bypass-bug-bounty-easy-wins-ultimate-guide-3722de0ad26c?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh