2FA Bypass Techniques
Response Manipulation
In response if "success":falseChange it to "success":true
Status Code Manipulation
If Status Code is 4xxTry to change it to 200 OK and see if it bypass restrictions
2FA Code Leakage in Response
Check the response of the 2FA Code Triggering Request to see if the code is leaked.JS File Analysis
Rare but some JS Files may contain info about the 2FA Code, worth giving a shot2FA Code Reusability
Same code can be reusedLack of Brute-Force Protection
Possible to brute-force any length 2FA CodeMissing 2FA Code Integrity Validation
Code for any user acc can be used to bypass the 2FACSRF on 2FA Disabling
No CSRF Protection on disabling 2FA, also there is no auth confirmationPassword Reset Disable 2FA
2FA gets disabled on password change/email changeBackup Code Abuse
Bypassing 2FA by abusing the Backup code featureUse the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
0 comments:
Post a Comment