hacktricks/pentesting-web/2fa-bypass.md

# 2FA/OTP Bypass

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## **Enhanced Two-Factor Authentication Bypass Techniques**

### **Direct Endpoint Access**

To bypass 2FA, access the subsequent endpoint directly, knowing the path is crucial. If unsuccessful, alter the **Referrer header** to mimic navigation from the 2FA verification page.

### **Token Reuse**

Reutilizing previously used tokens for authentication within an account can be effective.

### **Utilization of Unused Tokens**

Extracting a token from one's own account to bypass 2FA in another account can be attempted.

### **Exposure of Token**

Investigate whether the token is disclosed in a response from the web application.

### **Verification Link Exploitation**

Using the **email verification link sent upon account creation** can allow profile access without 2FA, as highlighted in a detailed [post](https://srahulceh.medium.com/behind-the-scenes-of-a-security-bug-the-perils-of-2fa-cookie-generation-496d9519771b).

### **Session Manipulation**

Initiating sessions for both the user's and a victim's account, and completing 2FA for the user's account without proceeding, allows an attempt to access the next step in the victim's account flow, exploiting backend session management limitations.

### **Password Reset Mechanism**

Investigating the password reset function, which logs a user into the application post-reset, for its potential to allow multiple resets using the same link is crucial. Logging in with the newly reset credentials might bypass 2FA.

### **OAuth Platform Compromise**

Compromising a user's account on a trusted **OAuth** platform (e.g., Google, Facebook) can offer a route to bypass 2FA.

### **Brute Force Attacks**

#### **Rate Limit Absence**

The lack of a limit on the number of code attempts allows for brute force attacks, though potential silent rate limiting should be considered.

#### **Slow Brute Force**

A slow brute force attack is viable where flow rate limits exist without an overarching rate limit.

#### **Code Resend Limit Reset**

Resending the code resets the rate limit, facilitating continued brute force attempts.

#### **Client-Side Rate Limit Circumvention**

A document details techniques for bypassing client-side rate limiting.

#### **Internal Actions Lack Rate Limit**

Rate limits may protect login attempts but not internal account actions.

#### **SMS Code Resend Costs**

Excessive resending of codes via SMS incurs costs to the company, though it does not bypass 2FA.

#### **Infinite OTP Regeneration**

Endless OTP generation with simple codes allows brute force by retrying a small set of codes.

### **Race Condition Exploitation**

Exploiting race conditions for 2FA bypass can be found in a specific document.

### **CSRF/Clickjacking Vulnerabilities**

Exploring CSRF or Clickjacking vulnerabilities to disable 2FA is a viable strategy.

### **"Remember Me" Feature Exploits**

#### **Predictable Cookie Values**

Guessing the "remember me" cookie value can bypass restrictions.

#### **IP Address Impersonation**

Impersonating the victim's IP address through the **X-Forwarded-For** header can bypass restrictions.

### **Utilizing Older Versions**

#### **Subdomains**

Testing subdomains may use outdated versions lacking 2FA support or contain vulnerable 2FA implementations.

#### **API Endpoints**

Older API versions, indicated by /v\*/ directory paths, may be vulnerable to 2FA bypass methods.

### **Handling of Previous Sessions**

Terminating existing sessions upon 2FA activation secures accounts against unauthorized access from compromised sessions.

### **Access Control Flaws with Backup Codes**

Immediate generation and potential unauthorized retrieval of backup codes upon 2FA activation, especially with CORS misconfigurations/XSS vulnerabilities, poses a risk.

### **Information Disclosure on 2FA Page**

Sensitive information disclosure (e.g., phone number) on the 2FA verification page is a concern.

### **Password Reset Disabling 2FA**

A process demonstrating a potential bypass method involves account creation, 2FA activation, password reset, and subsequent login without the 2FA requirement.

### **Decoy Requests**

Utilizing decoy requests to obfuscate brute force attempts or mislead rate limiting mechanisms adds another layer to bypass strategies. Crafting such requests requires a nuanced understanding of the application's security measures and rate limiting behaviors.

## References
* [https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35]("https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35")
* [https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718](https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718)

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>