Hello I’m Mostafa Elguerdawi in this write-up I’ll explain how could I bypass 2fa.
Let’s call on my target target.com
First, I created an account and logged in in a normal way.
After some testing in some authenticated endpoints I decided to test on 2fa function.
I enabled 2fa and started the test.
2fa is enabled through an external application such as Google authenticator, so I couldn’t try brute force on the code.
But I still have some options like:
- Response Manipulation(manipulate the response to change status from failed to success).
- CSRF on 2fa disable(try to generate CSRF POC that disable the 2fa).
- And a lot of techniques you can discover it from here
fortunately one technique worked with me.
Steps to perform:
- I went to the password reset page and entered my email
- I got a token in my Gmail for reset password link
- I have run my Burp Suite and make Intercept on.
- Create new password and confirm it then clicked in Reset Password button.
- I intercepted the request and started to analyzing each request.
- After sometime I found that after create a new password, The application authenticated me, But redirect me to /logout page to force me login again and ask for 2fa code.
- So what I did is next
- Intercepted all requests from target.com, then I found the request that responsible for redirect me to /logout page, I dropped it using Burp Suite
- Returning to the browser, I found that it had redirected me to my profile page without asking for 2fa code.
I done this with my friend Abdelrhman Allam (sl4x0)