Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-25 14:10:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/2fa-bypass.md
CPol 31a2ab586b
GitBook: No commit message
2024-05-05 17:56:05 +00:00

174 lines
8.1 KiB
Markdown
Raw Blame History

# 2FA/OTP Bypass
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
### [WhiteIntel](https://whiteintel.io)
<figure><img src="../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>
[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.
Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.
You can check their website and try their engine for **free** at:
{% embed url="https://whiteintel.io" %}
***
## **Enhanced Two-Factor Authentication Bypass Techniques**
### **Direct Endpoint Access**
To bypass 2FA, access the subsequent endpoint directly, knowing the path is crucial. If unsuccessful, alter the **Referrer header** to mimic navigation from the 2FA verification page.
### **Token Reuse**
Reutilizing previously used tokens for authentication within an account can be effective.
### **Utilization of Unused Tokens**
Extracting a token from one's own account to bypass 2FA in another account can be attempted.
### **Exposure of Token**
Investigate whether the token is disclosed in a response from the web application.
### **Verification Link Exploitation**
Using the **email verification link sent upon account creation** can allow profile access without 2FA, as highlighted in a detailed [post](https://srahulceh.medium.com/behind-the-scenes-of-a-security-bug-the-perils-of-2fa-cookie-generation-496d9519771b).
### **Session Manipulation**
Initiating sessions for both the user's and a victim's account, and completing 2FA for the user's account without proceeding, allows an attempt to access the next step in the victim's account flow, exploiting backend session management limitations.
### **Password Reset Mechanism**
Investigating the password reset function, which logs a user into the application post-reset, for its potential to allow multiple resets using the same link is crucial. Logging in with the newly reset credentials might bypass 2FA.
### **OAuth Platform Compromise**
Compromising a user's account on a trusted **OAuth** platform (e.g., Google, Facebook) can offer a route to bypass 2FA.
### **Brute Force Attacks**
#### **Rate Limit Absence**
The lack of a limit on the number of code attempts allows for brute force attacks, though potential silent rate limiting should be considered.
#### **Slow Brute Force**
A slow brute force attack is viable where flow rate limits exist without an overarching rate limit.
#### **Code Resend Limit Reset**
Resending the code resets the rate limit, facilitating continued brute force attempts.
#### **Client-Side Rate Limit Circumvention**
A document details techniques for bypassing client-side rate limiting.
#### **Internal Actions Lack Rate Limit**
Rate limits may protect login attempts but not internal account actions.
#### **SMS Code Resend Costs**
Excessive resending of codes via SMS incurs costs to the company, though it does not bypass 2FA.
#### **Infinite OTP Regeneration**
Endless OTP generation with simple codes allows brute force by retrying a small set of codes.
### **Race Condition Exploitation**
Exploiting race conditions for 2FA bypass can be found in a specific document.
### **CSRF/Clickjacking Vulnerabilities**
Exploring CSRF or Clickjacking vulnerabilities to disable 2FA is a viable strategy.
### **"Remember Me" Feature Exploits**
#### **Predictable Cookie Values**
Guessing the "remember me" cookie value can bypass restrictions.
#### **IP Address Impersonation**
Impersonating the victim's IP address through the **X-Forwarded-For** header can bypass restrictions.
### **Utilizing Older Versions**
#### **Subdomains**
Testing subdomains may use outdated versions lacking 2FA support or contain vulnerable 2FA implementations.
#### **API Endpoints**
Older API versions, indicated by /v\*/ directory paths, may be vulnerable to 2FA bypass methods.
### **Handling of Previous Sessions**
Terminating existing sessions upon 2FA activation secures accounts against unauthorized access from compromised sessions.
### **Access Control Flaws with Backup Codes**
Immediate generation and potential unauthorized retrieval of backup codes upon 2FA activation, especially with CORS misconfigurations/XSS vulnerabilities, poses a risk.
### **Information Disclosure on 2FA Page**
Sensitive information disclosure (e.g., phone number) on the 2FA verification page is a concern.
### **Password Reset Disabling 2FA**
A process demonstrating a potential bypass method involves account creation, 2FA activation, password reset, and subsequent login without the 2FA requirement.
### **Decoy Requests**
Utilizing decoy requests to obfuscate brute force attempts or mislead rate limiting mechanisms adds another layer to bypass strategies. Crafting such requests requires a nuanced understanding of the application's security measures and rate limiting behaviors.
## References
* [https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35](https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/%22https:/medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35%22/README.md)
* [https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718](https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718)
### [WhiteIntel](https://whiteintel.io)
<figure><img src="../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>
[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.
Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.
You can check their website and try their engine for **free** at:
{% embed url="https://whiteintel.io" %}
P
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Reference in a new issue View git blame Copy permalink