hacktricks/pentesting-web/2fa-bypass.md

# 2FA/OTP Bypass

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### [WhiteIntel](https://whiteintel.io)

<figure><img src="../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>

[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for **free** at:

{% embed url="https://whiteintel.io" %}

***

## **Enhanced Two-Factor Authentication Bypass Techniques**

### **Direct Endpoint Access**

To bypass 2FA, access the subsequent endpoint directly, knowing the path is crucial. If unsuccessful, alter the **Referrer header** to mimic navigation from the 2FA verification page.

### **Token Reuse**

Reutilizing previously used tokens for authentication within an account can be effective.

### **Utilization of Unused Tokens**

Extracting a token from one's own account to bypass 2FA in another account can be attempted.

### **Exposure of Token**

Investigate whether the token is disclosed in a response from the web application.

### **Verification Link Exploitation**

Using the **email verification link sent upon account creation** can allow profile access without 2FA, as highlighted in a detailed [post](https://srahulceh.medium.com/behind-the-scenes-of-a-security-bug-the-perils-of-2fa-cookie-generation-496d9519771b).

### **Session Manipulation**

Initiating sessions for both the user's and a victim's account, and completing 2FA for the user's account without proceeding, allows an attempt to access the next step in the victim's account flow, exploiting backend session management limitations.

### **Password Reset Mechanism**

Investigating the password reset function, which logs a user into the application post-reset, for its potential to allow multiple resets using the same link is crucial. Logging in with the newly reset credentials might bypass 2FA.

### **OAuth Platform Compromise**

Compromising a user's account on a trusted **OAuth** platform (e.g., Google, Facebook) can offer a route to bypass 2FA.

### **Brute Force Attacks**

#### **Rate Limit Absence**

The lack of a limit on the number of code attempts allows for brute force attacks, though potential silent rate limiting should be considered.

#### **Slow Brute Force**

A slow brute force attack is viable where flow rate limits exist without an overarching rate limit.

#### **Code Resend Limit Reset**

Resending the code resets the rate limit, facilitating continued brute force attempts.

#### **Client-Side Rate Limit Circumvention**

A document details techniques for bypassing client-side rate limiting.

#### **Internal Actions Lack Rate Limit**

Rate limits may protect login attempts but not internal account actions.

#### **SMS Code Resend Costs**

Excessive resending of codes via SMS incurs costs to the company, though it does not bypass 2FA.

#### **Infinite OTP Regeneration**

Endless OTP generation with simple codes allows brute force by retrying a small set of codes.

### **Race Condition Exploitation**

Exploiting race conditions for 2FA bypass can be found in a specific document.

### **CSRF/Clickjacking Vulnerabilities**

Exploring CSRF or Clickjacking vulnerabilities to disable 2FA is a viable strategy.

### **"Remember Me" Feature Exploits**

#### **Predictable Cookie Values**

Guessing the "remember me" cookie value can bypass restrictions.

#### **IP Address Impersonation**

Impersonating the victim's IP address through the **X-Forwarded-For** header can bypass restrictions.

### **Utilizing Older Versions**

#### **Subdomains**

Testing subdomains may use outdated versions lacking 2FA support or contain vulnerable 2FA implementations.

#### **API Endpoints**

Older API versions, indicated by /v\*/ directory paths, may be vulnerable to 2FA bypass methods.

### **Handling of Previous Sessions**

Terminating existing sessions upon 2FA activation secures accounts against unauthorized access from compromised sessions.

### **Access Control Flaws with Backup Codes**

Immediate generation and potential unauthorized retrieval of backup codes upon 2FA activation, especially with CORS misconfigurations/XSS vulnerabilities, poses a risk.

### **Information Disclosure on 2FA Page**

Sensitive information disclosure (e.g., phone number) on the 2FA verification page is a concern.

### **Password Reset Disabling 2FA**

A process demonstrating a potential bypass method involves account creation, 2FA activation, password reset, and subsequent login without the 2FA requirement.

### **Decoy Requests**

Utilizing decoy requests to obfuscate brute force attempts or mislead rate limiting mechanisms adds another layer to bypass strategies. Crafting such requests requires a nuanced understanding of the application's security measures and rate limiting behaviors.

## References

* [https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35](https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/%22https:/medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35%22/README.md)
* [https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718](https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718)

### [WhiteIntel](https://whiteintel.io)

<figure><img src="../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>

[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for **free** at:

{% embed url="https://whiteintel.io" %}

P

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}