Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update 2fa-bypass.md

Browse source
This commit is contained in:
Taleb Qasem 2022-10-07 06:20:43 +06:00 committed by GitHub
parent cbd40bbf74
commit 1fc2a1233e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
pentesting-web/2fa-bypass.md
View file

@ -21,15 +21,15 @@
## **Direct bypass**
Fuck the 2FA, just **try to access the next endpoint directly** (you need to know the path of the next endpoint). If this doesn't work, try to change the **Referrer header** as if you came from the 2FA page.
To bypass 2FA, just **try to access the next endpoint directly** (you need to know the path of the next endpoint). If this doesn't work, try to change the **Referrer header** as if you came from the 2FA page.
## **Reusing token**
Maybe you can reuse an already used token inside the account to authenticate.
Maybe you can reuse a previously used token inside the account to authenticate.
## Sharing unused tokens
Check if you can get for your account a token and try to use it to bypass the 2FA in a different account.
Check if you can get the token from your account and try to use it to bypass the 2FA in a different account.
## Leaked Token
@ -37,7 +37,7 @@ Is the token leaked on a response from the web application?
## Session permission
Using the same session start the flow using your account and the victims account. When reaching the 2FA point with both account, complete the 2FA with your account but do not access the next part. Instead of that, try to access to the next step with the victims account floe. If the back-end only set a boolean inside your sessions saying that you have successfully passed the 2FA you will be able to bypass the 2FA of the victim.
Using the same session start the flow using your account and the victim's account. When reaching the 2FA point on both accounts, complete the 2FA with your account but do not access the next part. Instead of that, try to access the next step with the victim's account flow. If the back-end only set a boolean inside your sessions saying that you have successfully passed the 2FA you will be able to bypass the 2FA of the victim.
## **Password reset function**
@ -52,13 +52,13 @@ If you can compromise the account of the user in a trusted **OAuth** platform (G
### Lack of Rate limit
There is any limit in the amount of codes that you can try, so you can just brute force it. Be careful with a possible "silent" rate-limit, always try several codes and then the real one to confirm the vulnerability.
Is there any limit on the number of codes that you can try, so you can just brute force it? Be careful with a possible "silent" rate limit, always try several codes and then the real one to confirm the vulnerability.
### Flow rate limit but no rate limit
In this case there is a flow rate limit (you have to brute force it very slowly: 1 thread and some sleep before 2 tries) but no rate limit. So with enough time you can be able to find the valid code.
In this case, there is a flow rate limit (you have to brute force it very slowly: 1 thread and some sleep before 2 tries) but no rate limit. So with enough time, you can be able to find the valid code.
### Re-send code reset the limit
### Re-send code and reset the limit
There is a rate limit but when you "resend the code" the same code is sent and the rate limit is reset. Then, you can brute force the code while you resend it so the rate limit is never reached.
@ -68,13 +68,13 @@ There is a rate limit but when you "resend the code" the same code is sent and t
[rate-limit-bypass.md](rate-limit-bypass.md)
{% endcontent-ref %}
### Lack of rate limit in user's account
### Lack of rate limit in the user's account
Sometimes you can configure the 2FA for some actions inside your account (change mail, password...). However, even in cases where there was a rate limit when you tried to log in, there isn't any rate limit protecting this actions.
Sometimes you can configure the 2FA for some actions inside your account (change mail, password...). However, even in cases where there is a rate limit when you tried to log in, there isn't any rate limit to protect actions inside the account.
### Lack of rate limit re-sending the code via SMS
You want be able to bypass the 2FA but you will be able to waste money of the company.
You won't be able to bypass the 2FA but you will be able to waste the company's money.
### Infinite OTP regeneration
@ -82,13 +82,13 @@ If you can **generate a new OTP infinite times**, the** OTP is simple enough** (
## CSRF/Clickjacking
Check if there is a CSRF or a Clickjacking vulnerability to disable the 2FA.
Check if there is a Cross Site Request Forgery (CSRF) or a Clickjacking vulnerability to disable the 2FA.
## Remember me functionality
### Guessable cookie
If the remember me functionality uses a new cookie with a guessable code, try to guess it.
If the "remember me" functionality uses a new cookie with a guessable code, try to guess it.
### IP address
@ -100,23 +100,23 @@ If the "remember me" functionality is attached to your IP address, you can try t
If you can find some "testing" subdomains with the login functionality, they could be using old versions that don't support 2FA (so it is directly bypassed) or those endpoints could support a vulnerable version of the 2FA.
### Apis
### APIs
If you find that the 2FA is using an API located under a /v\*/ directory (like "/v3/"), this probably means that there are older API endpoints that could be vulnerable to some kind of 2FA bypass.
## Previous sessions
When the 2FA is enabled, previous sessions created should be ended.This is because when a client has his account compromised he could want to protect it activating the 2FA, but if the previous sessions aren't ended, this won't protect him.
When the 2FA is enabled, previous sessions created should be ended. This is because when a client has his account compromised he could want to protect it by activating the 2FA, but if the previous sessions aren't ended, this won't protect him.
## Improper access control to backup codes
Backup codes are being generated immediately after 2FA is enabled and are available on a single request. After each subsequent call to the request, the codes can be regenerated or remain unchanged (static codes). If there are CORS misconfigurations/XSS vulnerabilities and other bugs that allow you to “pull” backup codes from the response request of the backup code endpoint, then the attacker could steal the codes and bypass 2FA if the username and password are known.
Backup codes are generated immediately after 2FA is enabled and are available on a single request. After each subsequent call to the request, the codes can be regenerated or remain unchanged (static codes). If there are CORS misconfigurations/XSS vulnerabilities and other bugs that allow you to “pull” backup codes from the response request of the backup code endpoint, then the attacker could steal the codes and bypass 2FA if the username and password are known.
## Information Disclosure
If in the 2FA page appears some confidential information that you didn't know previously (like the phone number) this can be considered an information disclosure vulnerability.
If you notice some confidential information appear on the 2FA page that you didn't know previously (like the phone number), then this can be considered an information disclosure vulnerability.
## **Password-Reset == disable 2fa**
## **Password-Reset == disable 2FA**
1. Create an Account and Turn On 2FA.
2. Logout from that account.