2FA Bypass via Reset Password

Hello I’m Mostafa Elguerdawi in this write-up I’ll explain how could I bypass 2fa.

Let’s call on my target target.com

First, I created an account and logged in in a normal way.

After some testing in some authenticated endpoints I decided to test on 2fa function.

I enabled 2fa and started the test.

2fa is enabled through an external application such as Google authenticator, so I couldn’t try brute force on the code.

But I still have some options like:

• Response Manipulation(manipulate the response to change status from failed to success).
• CSRF on 2fa disable(try to generate CSRF POC that disable the 2fa).
• And a lot of techniques you can discover it from here

fortunately one technique worked with me.

Steps to perform:

• I went to the password reset page and entered my email

• I got a token in my Gmail for reset password link

• I have run my Burp Suite and make Intercept on.
• Create new password and confirm it then clicked in Reset Password button.
• I intercepted the request and started to analyzing each request.
• After sometime I found that after create a new password, The application authenticated me, But redirect me to /logout page to force me login again and ask for 2fa code.
• So what I did is next
• Intercepted all requests from target.com, then I found the request that responsible for redirect me to /logout page, I dropped it using Burp Suite

• Returning to the browser, I found that it had redirected me to my profile page without asking for 2fa code.

I done this with my friend Abdelrhman Allam (sl4x0)