Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page
  • Two factor authentication tokens
  • Bypassing two-factor authentication
  • Labs

Was this helpful?

  1. Web App Pentesting
  2. Authentication (Portswigger Academy)

Vulnerabilities in multi-factor authentication

PreviousBroken brute-force protection, multiple credentials per requestNext2FA simple bypass

Last updated 4 years ago

Was this helpful?

Some websites require users to prove their identity through various authentication factors.

Two-factor authentication (2FA) is based on something you know and something you have. 2FA usually requires a user to either both is password and a temporary verification code.

Two factor authentication tokens

Verification codes are read by the user form a physical device of some kind that they pocess. High-security websites provide users with a dedicated device for this purpose, such as the RSA token, keypad devices used to access online banking or work laptop. This devices have the advantage of generating the verification code directly, as well as to increase the security of the authentication factors.

On the other hand, some websites send verification codes to mobile phone as a text message, which is open to exploitation:

  • The code is being transmitted via SMS instead of being generated by the device itself, creating a potential for the code to be intercepted.

  • There is always the risk of SIM swapping, where an attacker obtains a SIM card with the victim's phone number, receiving all SMS messages sent to to the victim, including the one containing the verification code.

Bypassing two-factor authentication

If the user is first prompted to enter a password, and then prompted to enter a verification code on a separate page, the user is effectively in a "logged in" state before entering the verification code. In this case, we can test if we can skip to "logged-in only" pages after completing the first authentication step. Occasionally, we will find that a website doesn't actually check whether or not we completed the second step before loading the page.

Labs

2FA simple bypass