Save 37% off PRO during our Black Friday Sale! »

2 Factor Authentication Bypass

2d1ae5ea9354a50d87b46f4503d11f4e?s=47 Tuhin Bose
August 18, 2021

2 Factor Authentication Bypass

Full Session Link: https://youtu.be/X2WfhBYQ2fY

2d1ae5ea9354a50d87b46f4503d11f4e?s=128

Tuhin Bose

August 18, 2021
Tweet

Transcript

  1. Bypassing 2 Factor Authentication By Tuhin Bose

  2. root@kali:~#whoami Bug Bounty Hunter Infosec Trainer at DSPH B. Tech

    in Cyber Security and Digital Forensics
  3. Conclusion & QNA What is 2FA? Common 2FA Implementations in

    Web Applications 15 Different Techniques for Bypassing 2FA Live Hunting AGENDA Flow of 2FA
  4. What is 2 Factor Authentication?

  5. 2FA is an extra layer of security used to make

    sure that people trying to gain access to an online account are who they say they are.
  6. Common 2FA Implementations in Web Applications

  7. Common 2FA Implementations in Web Applications

  8. Flow of 2FA

  9. Flow of 2FA User enters his credentials. Server validates whether

    the given credentials matches. User will be asked to enter the 2FA. Server verifies whether the provided 2FA code is correct or not. User authenticated.
  10. 15 Different Techniques for Bypassing 2FA

  11. 15 Different Techniques for Bypassing 2FA Response/Status Code Manipulation. Brute

    force token. Token not expires after usage. Request 2 tokens from account A and B. Use the A's token in B's account. Try to go directly to the dashboard URL without solving the 2FA. If not success try adding the referral header to the 2FA page url while going to dashboard.
  12. 15 Different Techniques for Bypassing 2FA Search the 2FA code

    in response. Search the 2FA code in JS files. CSRF/Clickjacking to disable 2FA. Request Manipulation Enabling 2FA doesn't expire previous sessions.
  13. 15 Different Techniques for Bypassing 2FA No 2FA required for

    disabling 2FA. Password can be reset via forgot password without 2FA. Enter 0's in the code. Login using OAuth to bypass 2FA. Backup code abuse using the above methods.
  14. @tuhin1729 tuhinbose70@gmail.com