# 2FA/OTP Bypass
htARTE (HackTricks AWS Red Team Expert) qa'vIn HackTricks AWS hacking! HackTricks yIlo'be'chugh: * **HackTricks advertisement** vItlhutlhlaHbe'chugh **company** vItlhutlhlaH **SUBSCRIPTION PLANS** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **ghItlhutlh**. * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **ghItlhutlh**. * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **ghItlhutlh** [**NFTs**](https://opensea.io/collection/the-peass-family) **ghItlhutlh**. * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **ghItlhutlh** [**telegram group**](https://t.me/peass) **ghItlhutlh** **follow** **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) **ghItlhutlh** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos** **ghItlhutlh**.
## **Enhanced Two-Factor Authentication Bypass Techniques** ### **Direct Endpoint Access** 2FA vItlhutlhlaHbe'chugh, path vItlhutlhlaHbe'chugh endpoint vItlhutlhlaH. vItlhutlhlaHbe'chugh, **Referrer header** vItlhutlhlaHbe'chugh 2FA verification page navigation mimic. ### **Token Reuse** 2FA vItlhutlhlaHbe'chugh, authentication token vItlhutlhlaHbe'chugh account reutilizing vItlhutlhlaH. ### **Utilization of Unused Tokens** 2FA vItlhutlhlaHbe'chugh, token vItlhutlhlaHbe'chugh account extraction vItlhutlhlaHbe'chugh 2FA bypass vItlhutlhlaHbe'chugh. ### **Exposure of Token** Token vItlhutlhlaHbe'chugh web application response vItlhutlhlaHbe'chugh investigate vItlhutlhlaHbe'chugh. ### **Verification Link Exploitation** **email verification link sent upon account creation** vItlhutlhlaHbe'chugh profile access without 2FA vItlhutlhlaHbe'chugh, [post](https://srahulceh.medium.com/behind-the-scenes-of-a-security-bug-the-perils-of-2fa-cookie-generation-496d9519771b) vItlhutlhlaHbe'chugh. ### **Session Manipulation** user's account vItlhutlhlaHbe'chugh victim's account vItlhutlhlaHbe'chugh session vItlhutlhlaHbe'chugh initiate vItlhutlhlaHbe'chugh, user's account 2FA vItlhutlhlaHbe'chugh complete vItlhutlhlaHbe'chugh, victim's account flow vItlhutlhlaHbe'chugh next step vItlhutlhlaHbe'chugh access vItlhutlhlaHbe'chugh, backend session management limitations vItlhutlhlaHbe'chugh exploit vItlhutlhlaHbe'chugh. ### **Password Reset Mechanism** password reset function vItlhutlhlaHbe'chugh investigate vItlhutlhlaHbe'chugh, user vItlhutlhlaHbe'chugh application post-reset login vItlhutlhlaHbe'chugh, multiple resets vItlhutlhlaHbe'chugh same link vItlhutlhlaHbe'chugh 2FA vItlhutlhlaHbe'chugh bypass vItlhutlhlaHbe'chugh. ### **OAuth Platform Compromise** user's account vItlhutlhlaHbe'chugh trusted **OAuth** platform (e.g., Google, Facebook) vItlhutlhlaHbe'chugh compromise vItlhutlhlaHbe'chugh, 2FA vItlhutlhlaHbe'chugh bypass vItlhutlhlaHbe'chugh. ### **Brute Force Attacks** #### **Rate Limit Absence** code attempts vItlhutlhlaHbe'chugh limit vItlhutlhlaHbe'chugh brute force attacks vItlhutlhlaHbe'chugh, silent rate limiting vItlhutlhlaHbe'chugh consider vItlhutlhlaHbe'chugh. #### **Slow Brute Force** flow rate limits vItlhutlhlaHbe'chugh slow brute force attack vItlhutlhlaHbe'chugh viable vItlhutlhlaHbe'chugh. #### **Code Resend Limit Reset** code vItlhutlhlaHbe'chugh resend vItlhutlhlaHbe'chugh rate limit reset vItlhutlhlaHbe'chugh, continued brute force attempts vItlhutlhlaHbe'chugh facilitate vItlhutlhlaHbe'chugh. #### **Client-Side Rate Limit Circumvention** document vItlhutlhlaHbe'chugh client-side rate limiting vItlhutlhlaHbe'chugh bypass techniques vItlhutlhlaHbe'chugh detail vItlhutlhlaHbe'chugh. #### **Internal Actions Lack Rate Limit** rate limits vItlhutlhlaHbe'chugh login attempts vItlhutlhlaHbe'chugh internal account actions vItlhutlhlaHbe'chugh protect vItlhutlhlaHbe'chugh. #### **SMS Code Resend Costs** codes vItlhutlhlaHbe'chugh SMS vItlhutlhlaHbe'chugh resend vItlhutlhlaHbe'chugh, company vItlhutlhlaHbe'chugh cost vItlhutlhlaHbe'chugh, 2FA vItlhutlhlaHbe'chugh bypass vItlhutlhlaHbe'chugh. #### **Infinite OTP Regeneration** simple codes vItlhutlhlaHbe'chugh endless OTP generation vItlhutlhlaHbe'chugh, small set vItlhutlhlaHbe'chugh retry vItlhutlhlaHbe'chugh brute force vItlhutlhlaHbe'chugh. ### **Race Condition Exploitation** 2FA bypass vItlhutlhlaHbe'chugh race conditions vItlhutlhlaHbe'chugh exploit vItlhutlhlaHbe'chugh. ### **CSRF/Clickjacking Vulnerabilities** CSRF vItlhutlhlaHbe'chugh Clickjacking vulnerabilities vItlhutlhlaHbe'chugh explore vItlhutlhlaHbe'chugh 2FA vItlhutlhlaHbe'chugh disable vItlhutlhlaHbe'chugh viable strategy vItlhutlhlaHbe'chugh. ### **"Remember Me" Feature Exploits** #### **Predictable Cookie Values** "remember me" cookie value vItlhutlhlaHbe'chugh guess vItlhutlhlaHbe'chugh bypass restrictions vItlhutlhlaHbe'chugh. #### **IP Address Impersonation** victim's IP address vItlhutlhlaHbe'chugh impersonate vItlhutlhlaHbe'chugh **X-Forwarded-For** header vItlhutlhlaHbe'chugh bypass restrictions vItlhutlhlaHbe'chugh. ### **Utilizing Older Versions** #### **Subdomains** subdomains vItlhutlhlaHbe'chugh test vItlhutlhlaHbe'chugh outdated versions vItlhutlhlaHbe'chugh 2FA support vItlhutlhlaHbe'chugh vulnerable 2FA implementations vItlhutlhlaHbe'chugh. #### **API Endpoints** /v\*/ directory paths vItlhutlhlaHbe'chugh older API versions vItlhutlhlaHbe'chugh, 2FA bypass methods vItlhutlhlaHbe'chugh. ### **Handling of Previous Sessions** 2FA activation vItlhutlhlaHbe'chugh existing sessions vItlhutlhlaHbe'chugh terminate vItlhutlhlaHbe'chugh, unauthorized access vItlhutlhlaHbe'chugh compromised sessions vItlhutlhlaHbe'chugh secure vItlhutlhlaHbe'chugh accounts vItlhutlhlaHbe'chugh. ### **Access Control Flaws with Backup Codes** 2FA activation vItlhutlhlaHbe'chugh immediate generation vItlhutlhlaHbe'chugh potential unauthorized retrieval vItlhutlhlaHbe'chugh backup codes vItlhutlhlaHbe'chugh, CORS misconfigurations/XSS vulnerabilities vItlhutlhlaHbe'chugh risk vItlhutlhlaHbe'chugh. ### **Information Disclosure on 2FA Page** 2FA verification page vItlhutlhlaHbe'chugh sensitive information disclosure (e.g., phone number) vItlhutlhlaHbe'chugh concern vItlhutlhlaHbe'chugh. ### **Password Reset Disabling 2FA** account creation v