Tweet
Tweet

Slide 1

Slide 1 text

2FA MISCONFIGURATION Bypassing the Protections for fun and Profit By: Tushar Verma

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. Two-Factor Authentication Workflow o Application authentication o Standard Login o OTP generation o OTP delivery

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

1-Register & Login to your account 2-Put any random incorrect OTP code 3-Intercept the response with Burp-Suite and do response to this request 4-Copy old response which is valid generated by attacker account and paste it

Slide 7

Slide 7 text

1-Register & Login to your account 2-Put any random incorrect OTP code 3-Intercept the response with Burp-Suite and do response to this request 4-If Status Code is 4xx,try to change it to 200 OK

Slide 8

Slide 8 text

1- Request an OTP and use it 2-Now try to use the same OTP and if the OTP is accepted ,there is an issue Reference: https://hackerone.com/reports/67660 Case 4 – Use null or 000000 1- Request an OTP 2-Enter the code 000000 or leave it blank Reference: https://hackerone.com/reports/897385

Slide 9

Slide 9 text

1- Intercept the request 2-Brute force the 2FA code with the help of intruder 3-Analyze the response Reference : https://hackerone.com/reports/128777

Slide 10

Slide 10 text

Attack Scenario: Using the company's OpenID system for authentication 1-Intercept the login request and observe the openID flows 2-Try to play with acr_values to bypass 2FA.In this case,change otp+password to sms+password Reference: https://youst.in/posts/bypassing-2fa-using-openid-misconfiguration/

Slide 11

Slide 11 text

1-Login same account on two browser 2-On Browser A, activate the 2FA 3-On Browser B, try to reload the webpage 4-The session will be active Case 8 - CSRF on 2FA Disabling 1- Sign up for two accounts. In which first are the attacker’s account and the second is victim’s 2-Log in to attacker’s account and capture the Disable 2FA request in Burp suite and generate CSRF POC 3-Save the CSRF POC file with extension .html 4-Now log in to Victim’s account in the Private Browser and fire that CSRF file. Now you can see that It disables 2FA which leads to 2FA Bypass

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

13