Bypassing 2FA Misconfiguration

Transcript

1. 2FA MISCONFIGURATION Bypassing the Protections for fun and Profit By:

   Tushar Verma
2. None

3. 2FA is an extra layer of security used to make

   sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. Two-Factor Authentication Workflow o Application authentication o Standard Login o OTP generation o OTP delivery
4. None
5. None

6. 1-Register & Login to your account 2-Put any random incorrect

   OTP code 3-Intercept the response with Burp-Suite and do response to this request 4-Copy old response which is valid generated by attacker account and paste it

7. 1-Register & Login to your account 2-Put any random incorrect

   OTP code 3-Intercept the response with Burp-Suite and do response to this request 4-If Status Code is 4xx,try to change it to 200 OK

8. 1- Request an OTP and use it 2-Now try to

   use the same OTP and if the OTP is accepted ,there is an issue Reference: https://hackerone.com/reports/67660 Case 4 – Use null or 000000 1- Request an OTP 2-Enter the code 000000 or leave it blank Reference: https://hackerone.com/reports/897385

9. 1- Intercept the request 2-Brute force the 2FA code with

   the help of intruder 3-Analyze the response Reference : https://hackerone.com/reports/128777

10. Attack Scenario: Using the company's OpenID system for authentication 1-Intercept

    the login request and observe the openID flows 2-Try to play with acr_values to bypass 2FA.In this case,change otp+password to sms+password Reference: https://youst.in/posts/bypassing-2fa-using-openid-misconfiguration/

11. 1-Login same account on two browser 2-On Browser A, activate

    the 2FA 3-On Browser B, try to reload the webpage 4-The session will be active Case 8 - CSRF on 2FA Disabling 1- Sign up for two accounts. In which first are the attacker’s account and the second is victim’s 2-Log in to attacker’s account and capture the Disable 2FA request in Burp suite and generate CSRF POC 3-Save the CSRF POC file with extension .html 4-Now log in to Victim’s account in the Private Browser and fire that CSRF file. Now you can see that It disables 2FA which leads to 2FA Bypass
12. None

13. 13