Introduction to the 2-Factor Authentication broken logic
We have server-side vulnerabilities in our possession, which are essentially a part of authentication vulnerabilities. Due to the 2-Factor Authentication broken logic vulnerability, an attacker or hacker can successfully bypass or circumvent the 2-Factor Authentication security measure of any website or web application and log into the user’s account. In this technique, an attacker either intercepts the request to gain access or creates a link and uses social engineering to make the victim click on it.
Lab Solutions | Practical Work Time
Lab Description: In the lab, we have already been provided with our own credentials, which are username=wiener & password=peter. In addition, we have also been provided with the victim’s username, whose account’s security we need to bypass to gain access.
Stepwise Solution of the Lab
Firstly, we log in to the lab as a normal user with our credentials. Then, we analyze GET or POST-based requests in Burp Suite to understand the type of request being generated and the type of response we are receiving from the server.
You can see in the screenshot above that our wiener user is being verified inside the cookie clearly. There is no encoding or cryptography used in the cookie. Due to the lack of security, we can easily manipulate it.
Now you can see that after logging in, we are being asked for a security code. There is a button named after the email client in the lab. If you click on it, you will receive a code. Once you enter that code, you will successfully log in to the wiener account. Now we have an idea of how the application works. REMEMBER, log out of the wiener account now.
Now, we will move on to our main work, which is to break into Carlos’ account and log in by some means.
In the Burp Suite HTTP history, a GET-based request is generated with the name /login2. You can see the screenshot of this request above. Remember, this is the request that generates the security code. We will remove Wiener from its cookie and replace it with Carlos because we need to generate a security code from Carlos’ account. In the above screenshot, the “verify” parameter had “wiener” value, so I simply modified it to “carlos”. After submitting the request, the server must have generated the code.
When I further analyzed the requests, I found another POST-based request named /login2, which mentioned the security code as “mfa-code=1888”. Our user was also being verified in the cookie.
Bruteforce attack to crack 2-Factor Authentication security code
After sending the POST /login2 request to Intruder, add the security code. Then, go to the Simple Payloads tab and select the “Brute Forcer” option. Set the payload to “1to9” and add “4-4” in the next steps. Click on “Start Attack”. Remember to change the username from Wiener to Carlos before starting the attack.
When the attack was finished, we found the 302 request, which led us to Carlos’s account. We opened it in the browser and successfully logged in. We have now solved the lab.
Thank you for reading. Follow us on Twitter @masaudsec.