Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bypassing 2FA Misconfiguration

Bypassing 2FA Misconfiguration

Tushar Verma

June 27, 2021
Tweet

More Decks by Tushar Verma

Other Decks in Technology

Transcript

  1. 2FA is an extra layer of security used to make

    sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. Two-Factor Authentication Workflow o Application authentication o Standard Login o OTP generation o OTP delivery
  2. 1-Register & Login to your account 2-Put any random incorrect

    OTP code 3-Intercept the response with Burp-Suite and do response to this request 4-Copy old response which is valid generated by attacker account and paste it
  3. 1-Register & Login to your account 2-Put any random incorrect

    OTP code 3-Intercept the response with Burp-Suite and do response to this request 4-If Status Code is 4xx,try to change it to 200 OK
  4. 1- Request an OTP and use it 2-Now try to

    use the same OTP and if the OTP is accepted ,there is an issue Reference: https://hackerone.com/reports/67660 Case 4 – Use null or 000000 1- Request an OTP 2-Enter the code 000000 or leave it blank Reference: https://hackerone.com/reports/897385
  5. 1- Intercept the request 2-Brute force the 2FA code with

    the help of intruder 3-Analyze the response Reference : https://hackerone.com/reports/128777
  6. Attack Scenario: Using the company's OpenID system for authentication 1-Intercept

    the login request and observe the openID flows 2-Try to play with acr_values to bypass 2FA.In this case,change otp+password to sms+password Reference: https://youst.in/posts/bypassing-2fa-using-openid-misconfiguration/
  7. 1-Login same account on two browser 2-On Browser A, activate

    the 2FA 3-On Browser B, try to reload the webpage 4-The session will be active Case 8 - CSRF on 2FA Disabling 1- Sign up for two accounts. In which first are the attacker’s account and the second is victim’s 2-Log in to attacker’s account and capture the Disable 2FA request in Burp suite and generate CSRF POC 3-Save the CSRF POC file with extension .html 4-Now log in to Victim’s account in the Private Browser and fire that CSRF file. Now you can see that It disables 2FA which leads to 2FA Bypass
  8. 13