diff --git a/SUMMARY.md b/SUMMARY.md
index 471421aae..16ed5de94 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -287,12 +287,11 @@
* [ADB Commands](mobile-pentesting/android-app-pentesting/adb-commands.md)
* [APK decompilers](mobile-pentesting/android-app-pentesting/apk-decompilers.md)
* [AVD - Android Virtual Device](mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md)
- * [Burp Suite Configuration for Android](mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md)
* [Bypass Biometric Authentication (Android)](mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md)
* [content:// protocol](mobile-pentesting/android-app-pentesting/content-protocol.md)
* [Drozer Tutorial](mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md)
* [Exploiting Content Providers](mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md)
- * [Exploiting a debuggeable applciation](mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md)
+ * [Exploiting a debuggeable application](mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md)
* [Frida Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/README.md)
* [Frida Tutorial 1](mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md)
* [Frida Tutorial 2](mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md)
@@ -300,6 +299,7 @@
* [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
* [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
* [Inspeckage Tutorial](mobile-pentesting/android-app-pentesting/inspeckage-tutorial.md)
+ * [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
* [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)
* [Make APK Accept CA Certificate](mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md)
* [Manual DeObfuscation](mobile-pentesting/android-app-pentesting/manual-deobfuscation.md)
diff --git a/mobile-pentesting/android-app-pentesting/README.md b/mobile-pentesting/android-app-pentesting/README.md
index c92e45dd0..8dcf81c42 100644
--- a/mobile-pentesting/android-app-pentesting/README.md
+++ b/mobile-pentesting/android-app-pentesting/README.md
@@ -454,7 +454,7 @@ It's recommended to **apply SSL Pinning** for the sites where sensitive informat
### Inspecting HTTP traffic
First of all, you should (must) **install the certificate** of the **proxy** tool that you are going to use, probably Burp. If you don't install the CA certificate of the proxy tool, you probably aren't going to see the encrypted traffic in the proxy.\
-**Please,** [**read this guide to learn how to do install a custom CA certificate**](android-burp-suite-settings.md)**.**
+**Please,** [**read this guide to learn how to do install a custom CA certificate**](avd-android-virtual-device.md#install-burp-certificate-on-a-virtual-machine)**.**
For applications targeting **API Level 24+ it isn't enough to install the Burp CA** certificate in the device. To bypass this new protection you need to modify the Network Security Config file. So, you could modify this file to authorise your CA certificate or you can [**read this page for a tutorial on how to force the application to accept again all the installed certificate sin the device**](make-apk-accept-ca-certificate.md).
diff --git a/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md b/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
deleted file mode 100644
index 9369937f1..000000000
--- a/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
+++ /dev/null
@@ -1,109 +0,0 @@
-# Burp Suite Configuration for Android
-
-
-
-โ๏ธ HackTricks Cloud โ๏ธ -๐ฆ Twitter ๐ฆ - ๐๏ธ Twitch ๐๏ธ - ๐ฅ Youtube ๐ฅ
-
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**๐ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐ฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
-
-
-
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-
-**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)
-
-## Add a proxy in Burp Suite to listen.
-
-Address: **192.168.56.1** & Port: **1337**
-
-Choose _**All Interfaces**_ option.
-
-
-
-## **Adding listener in Android device.**
-
-Setting โ Wifi โWiredSSID (Long press)
-
-Choose Modify network โ Check Advance options.
-
-Select Proxy to the manual
-
-
-
-Testing connection over http and https using devices browser.
-
-1. http:// (working) tested โ [http://ehsahil.com](http://ehsahil.com)
-
-
-
-2\. https:// certificate error โ https://google.com
-
-
-
-## **Installing burp certificate in android device.**
-
-Download burp certificate. โ Use your desktop machine to download the certificate.
-
-[https://burp](http://burp)
-
-
-
-Click on **CA certificate download the certificate.**
-
-The downloaded certificate is in cacert.der extension and Android 5.\* does not recognise it as certificate file.
-
-You can download the cacert file using your desktop machine and rename it from cacert.der to cacert.crt and drop it on Android device and certificate will be automatically added into **file:///sd\_card/downloads.**
-
-**Installing the downloaded certificate.**
-
-Settings โSecurity โInstall certificate from SD cards
-
-Now, goto: sdcard โDownloads โ Select cacert.crt
-
-Now, Name it as anything โportswiggerโ
-
-
-
-You also need to setup the PIN before adding certificate. Verifying the installed certificate using trusted certificates.
-
-Trusted certificates โUsers
-
-
-
-After installing Certificate SSL endpoints also working fine tested using โ [https://google.com](https://google.com)
-
-
-
-{% hint style="info" %}
-After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser.
-{% endhint %}
-
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-
-
-
-โ๏ธ HackTricks Cloud โ๏ธ -๐ฆ Twitter ๐ฆ - ๐๏ธ Twitch ๐๏ธ - ๐ฅ Youtube ๐ฅ
-
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**๐ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐ฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
-
-
diff --git a/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md b/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
index 54d611e77..a8755fc33 100644
--- a/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
+++ b/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
@@ -230,59 +230,13 @@ adbd cannot run as root in production builds
Using [rootAVD](https://github.com/newbit1/rootAVD) with [Magisk](https://github.com/topjohnwu/Magisk) I was able to root it (follow for example [**this video**](https://www.youtube.com/watch?v=Wk0ixxmkzAI) **or** [**this one**](https://www.youtube.com/watch?v=qQicUW0svB8)).
-## Install Burp certificate on a Virtual Machine
+## Install Burp Certificate
-First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
+Check the following page to learn how to install a custom CA cert:
-.png>)
-
-**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
-For example you can run it like:
-
-{% code overflow="wrap" %}
-```bash
-C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
-```
-{% endcode %}
-
-Then, to **configure burps certificate do**:
-
-{% code overflow="wrap" %}
-```bash
-openssl x509 -inform DER -in burp_cacert.der -out burp_cacert.pem
-CERTHASHNAME="`openssl x509 -inform PEM -subject_hash_old -in burp_cacert.pem | head -1`.0"
-mv burp_cacert.pem $CERTHASHNAME #Correct name
-adb root && sleep 2 && adb remount #Allow to write on /syste
-adb push $CERTHASHNAME /sdcard/ #Upload certificate
-adb shell mv /sdcard/$CERTHASHNAME /system/etc/security/cacerts/ #Move to correct location
-adb shell chmod 644 /system/etc/security/cacerts/$CERTHASHNAME #Assign privileges
-adb reboot #Now, reboot the machine
-```
-{% endcode %}
-
-Once the **machine finish rebooting** the burp certificate will be in use by it!
-
-## Install Burp Certificate with Magisc
-
-If you **rooted your device with Magisc** (maybe an emulator), and you **can't follow** the previous **steps** to install the Burp cert because the **filesystem is read-only** and you cannot remount it writable, there is another way.
-
-Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you need to:
-
-1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
-
-
-
-* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER`
-
-
-
-2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
-
-
-
-* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there
-
-
+{% content-ref url="install-burp-certificate.md" %}
+[install-burp-certificate.md](install-burp-certificate.md)
+{% endcontent-ref %}
## Nice AVD Options
diff --git a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
new file mode 100644
index 000000000..1254d388f
--- /dev/null
+++ b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
@@ -0,0 +1,182 @@
+# Install Burp Certificate
+
+
+
+โ๏ธ HackTricks Cloud โ๏ธ -๐ฆ Twitter ๐ฆ - ๐๏ธ Twitch ๐๏ธ - ๐ฅ Youtube ๐ฅ
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**๐ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐ฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## On a Virtual Machine
+
+First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
+
+.png>)
+
+**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
+For example you can run it like:
+
+{% code overflow="wrap" %}
+```bash
+C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
+```
+{% endcode %}
+
+Then, to **configure burps certificate do**:
+
+{% code overflow="wrap" %}
+```bash
+openssl x509 -inform DER -in burp_cacert.der -out burp_cacert.pem
+CERTHASHNAME="`openssl x509 -inform PEM -subject_hash_old -in burp_cacert.pem | head -1`.0"
+mv burp_cacert.pem $CERTHASHNAME #Correct name
+adb root && sleep 2 && adb remount #Allow to write on /syste
+adb push $CERTHASHNAME /sdcard/ #Upload certificate
+adb shell mv /sdcard/$CERTHASHNAME /system/etc/security/cacerts/ #Move to correct location
+adb shell chmod 644 /system/etc/security/cacerts/$CERTHASHNAME #Assign privileges
+adb reboot #Now, reboot the machine
+```
+{% endcode %}
+
+Once the **machine finish rebooting** the burp certificate will be in use by it!
+
+## Using Magisc
+
+If you **rooted your device with Magisc** (maybe an emulator), and you **can't follow** the previous **steps** to install the Burp cert because the **filesystem is read-only** and you cannot remount it writable, there is another way.
+
+Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you need to:
+
+1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
+
+
+
+* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER`
+
+
+
+2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
+
+
+
+* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there
+
+
+
+## Post Android 14
+
+Changes:
+
+* Until now, system-trusted CA certificates lived in **`/system/etc/security/cacerts/`**. On a standard AOSP emulator, those could be **modified directly with root access** with minimal setup, immediately taking **effect everywhere**.
+* In Android 14, system-trusted CA certificates will generally live in **`/apex/com.android.conscrypt/cacerts`**, and all of **`/apex` is immutable**.
+* That **APEX cacerts path cannot be remounted as rewritable** - remounts simply fail. In fact, even if you unmount the entire path from a root shell, apps can still read your certificates just fine.
+* The alternative technique of **mounting a tmpfs directory over the top also doesn't work** - even though this means that `ls /apex/com.android.conscrypt/cacerts` might return nothing (or anything else you like), apps will still see the same original data.
+ * Because the `/apex` mount is [explicitly mounted](https://cs.android.com/android/platform/superproject/main/+/main:system/core/init/mount\_namespace.cpp;l=97;drc=566c65239f1cf3fcb0d8745715e5ef1083d4bd3a) **with PRIVATE propagation**, so that all changes to mounts inside the `/apex` path are never shared between processes.
+
+That's done by the `init` process which starts the OS, which then launches the [Zygote process](https://en.wikipedia.org/wiki/Booting\_process\_of\_Android\_devices#Zygote) (with a new mount namespace copied from the parent, so including its **own private `/apex` mount**), which then in turn **starts each app process** whenever an app is launched on the device (who each in turn then **copy that same private `/apex` mount**).
+
+### Recursively remounting mountpoints
+
+* You can remount `/apex` manually, removing the PRIVATE propagation and making it writable (ironically, it seems that entirely removing private propagation _does_ propagate everywhere)
+* You copy out the entire contents of `/apex/com.android.conscrypt` elsewhere
+* Then you unmount `/apex/com.android.conscrypt` entirely - removing the read-only mount that immutably provides this module
+* Then you copy the contents back, so it lives into the `/apex` mount directly, where it can be modified (you need to do this quickly, as [apparently](https://infosec.exchange/@g1a55er/111069489513139531) you can see crashes otherwise)
+* This should take effect immediately, but they recommend killing `system_server` (restarting all apps) to get everything back into a consistent state
+
+```bash
+# Create a separate temp directory, to hold the current certificates
+# Otherwise, when we add the mount we can't read the current certs anymore.
+mkdir -p -m 700 /data/local/tmp/tmp-ca-copy
+
+# Copy out the existing certificates
+cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/tmp-ca-copy/
+
+# Create the in-memory mount on top of the system certs folder
+mount -t tmpfs tmpfs /system/etc/security/cacerts
+
+# Copy the existing certs back into the tmpfs, so we keep trusting them
+mv /data/local/tmp/tmp-ca-copy/* /system/etc/security/cacerts/
+
+# Copy our new cert in, so we trust that too
+mv $CERTIFICATE_PATH /system/etc/security/cacerts/
+
+# Update the perms & selinux context labels
+chown root:root /system/etc/security/cacerts/*
+chmod 644 /system/etc/security/cacerts/*
+chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
+
+# Deal with the APEX overrides, which need injecting into each namespace:
+
+# First we get the Zygote process(es), which launch each app
+ZYGOTE_PID=$(pidof zygote || true)
+ZYGOTE64_PID=$(pidof zygote64 || true)
+# N.b. some devices appear to have both!
+
+# Apps inherit the Zygote's mounts at startup, so we inject here to ensure
+# all newly started apps will see these certs straight away:
+for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do
+ if [ -n "$Z_PID" ]; then
+ nsenter --mount=/proc/$Z_PID/ns/mnt -- \
+ /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
+ fi
+done
+
+# Then we inject the mount into all already running apps, so they
+# too see these CA certs immediately:
+
+# Get the PID of every process whose parent is one of the Zygotes:
+APP_PIDS=$(
+ echo "$ZYGOTE_PID $ZYGOTE64_PID" | \
+ xargs -n1 ps -o 'PID' -P | \
+ grep -v PID
+)
+
+# Inject into the mount namespace of each of those apps:
+for PID in $APP_PIDS; do
+ nsenter --mount=/proc/$PID/ns/mnt -- \
+ /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
+done
+wait # Launched in parallel - wait for completion here
+
+echo "System certificate injected"
+```
+
+### Bind-mounting through NSEnter
+
+* First, we need set up a writable directory somewhere. For easy compatibility with the existing approach, I'm doing this with a `tmpfs` mount over the (still present) non-APEX system cert directory:
+
+ ```bash
+ mount -t tmpfs tmpfs /system/etc/security/cacerts
+ ```
+* Then you place the CA certificates you're interested in into this directory (e.g. you might want copy all the defaults out of the existing `/apex/com.android.conscrypt/cacerts/` CA certificates directory) and set permissions & SELinux labels appropriately.
+* Then, use `nsenter` to enter the Zygote's mount namespace, and bind mount this directory over the APEX directory:
+
+ ```bash
+ nsenter --mount=/proc/$ZYGOTE_PID/ns/mnt -- \
+ /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
+ ```
+
+ The Zygote process spawns each app, copying its mount namespace to do so, so this ensures all newly launched apps (everything started from now on) will use this.
+* Then, use `nsenter` to enter each already running app's namespace, and do the same:
+
+ ```bash
+ nsenter --mount=/proc/$APP_PID/ns/mnt -- \
+ /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
+ ```
+
+ Alternatively, if you don't mind the awkward UX, you should be able to do the bind mount on `init` itself (PID 1) and then run `stop && start` to soft-reboot the OS, recreating all the namespaces and propagating your changes everywhere (but personally I do mind the awkward reboot, so I'm ignoring that route entirely).
+
+
+
+โ๏ธ HackTricks Cloud โ๏ธ -๐ฆ Twitter ๐ฆ - ๐๏ธ Twitch ๐๏ธ - ๐ฅ Youtube ๐ฅ
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**๐ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐ฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/pentesting-web/2fa-bypass.md b/pentesting-web/2fa-bypass.md
index b3c28835e..0a21605b7 100644
--- a/pentesting-web/2fa-bypass.md
+++ b/pentesting-web/2fa-bypass.md
@@ -43,6 +43,8 @@ Using the same session start the flow using your account and the victim's accoun
In almost all web applications the **password reset function automatically logs the user into the application** after the reset procedure is completed.\
Check if a **mail** is sent with a **link** to **reset the password** and if you can **reuse** that **link** to reset the password as **many times as you want** (even if the victim changes his email address).
+Another option to bypass 2FA with the password reset functionality is to **reset the password with access to the mail** and use the **new password lo login**, it might be possible that after a password change 2FA isn't used.
+
### OAuth
If you can compromise the account of the user in a trusted **OAuth** platform (Google, Facebook...)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1).png)