2FA Bypass via Reset Password

Mostafa Elguerdawi
2 min readSep 12, 2023

--

Hello I’m Mostafa Elguerdawi in this write-up I’ll explain how could I bypass 2fa.

Let’s call on my target target.com

First, I created an account and logged in in a normal way.

After some testing in some authenticated endpoints I decided to test on 2fa function.

I enabled 2fa and started the test.

2fa is enabled through an external application such as Google authenticator, so I couldn’t try brute force on the code.

But I still have some options like:

  • Response Manipulation(manipulate the response to change status from failed to success).
  • CSRF on 2fa disable(try to generate CSRF POC that disable the 2fa).
  • And a lot of techniques you can discover it from here

fortunately one technique worked with me.

Steps to perform:

  • I went to the password reset page and entered my email
  • I got a token in my Gmail for reset password link
  • I have run my Burp Suite and make Intercept on.
  • Create new password and confirm it then clicked in Reset Password button.
  • I intercepted the request and started to analyzing each request.
  • After sometime I found that after create a new password, The application authenticated me, But redirect me to /logout page to force me login again and ask for 2fa code.
  • So what I did is next
  • Intercepted all requests from target.com, then I found the request that responsible for redirect me to /logout page, I dropped it using Burp Suite
  • Returning to the browser, I found that it had redirected me to my profile page without asking for 2fa code.

I done this with my friend Abdelrhman Allam (sl4x0)

--

--