sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. Two-Factor Authentication Workflow o Application authentication o Standard Login o OTP generation o OTP delivery
OTP code 3-Intercept the response with Burp-Suite and do response to this request 4-Copy old response which is valid generated by attacker account and paste it
use the same OTP and if the OTP is accepted ,there is an issue Reference: https://hackerone.com/reports/67660 Case 4 – Use null or 000000 1- Request an OTP 2-Enter the code 000000 or leave it blank Reference: https://hackerone.com/reports/897385
the login request and observe the openID flows 2-Try to play with acr_values to bypass 2FA.In this case,change otp+password to sms+password Reference: https://youst.in/posts/bypassing-2fa-using-openid-misconfiguration/
the 2FA 3-On Browser B, try to reload the webpage 4-The session will be active Case 8 - CSRF on 2FA Disabling 1- Sign up for two accounts. In which first are the attacker’s account and the second is victim’s 2-Log in to attacker’s account and capture the Disable 2FA request in Burp suite and generate CSRF POC 3-Save the CSRF POC file with extension .html 4-Now log in to Victim’s account in the Private Browser and fire that CSRF file. Now you can see that It disables 2FA which leads to 2FA Bypass
SiteGround - Reliable hosting with speed, security, and support you can count on.
e11i0t_4lders0n
hssh2_bin
lycorptech_jp
yoshimi0227
amarelo_n24
sonic
jacopen
wyamazak_devrel
brainpadpr
nassy20
line_developers_tw
_awache
oracle4engineer
dugsong
ks91
palkan
nonsquared
geshan
jonoalderson
tenderlove
marktimemedia
chriscoyier
smashingmag
asonas
marcoroth
