Today, we will study 2-Factor Authentication. We will learn how 2-Factor Authentication can be bypassed. Before bypassing 2-Factor Authentication, you should know what 2-Factor Authentication is.
We are continuing our series on Authentication Vulnerabilities and this is part 2. In part 1, we studied Authentication, Authentication Vulnerabilities, and Username enumeration via different responses, and we also did practical work on it.
What is 2-Factor Authentication
2-Factor Authentication is an extra layer of security that is used to further secure a user’s account. In 2-Factor Authentication, a user receives a code or token on their email or phone number. The user verifies their account using that token or code. After verification, the user can log in to their account. This step is performed after the first step, where we use our credentials. If our credentials are accurate, then we can access the resources after passing through the 2-Factor Authentication gate, or we can say that we can log in to our account.
Bypassing 2FA: Exploiting Authentication Vulnerabilities
Let’s take an example of Facebook for 2-Factor Authentication. When we activate 2-Factor Authentication on Facebook, a code is sent to our phone number when we try to log in to our account. After submitting the code, we can log in to our account.
Advantage of 2-Factor Authentication
The biggest advantage of 2-Factor Authentication is that even if our credentials are leaked in a data breach, or we fall victim to a phishing attack, the attacker cannot log in to our account without the 2-Factor Authentication code.
Now, let’s talk about bypassing 2-Factor Authentication. In 2-Factor Authentication bypass, an attacker exploits an Authentication vulnerability on a website or application, allowing them to bypass the Authentication process and log in to the account directly without needing the Authentication code. 2-Factor Authentication bypass vulnerabilities are produced due to the carelessness of developers who do not code the website/application securely, and attackers take advantage of this to compromise the security of accounts.
2FA simple bypass
Now, we’ll solve a lab for 2FA simple bypass, which will clarify the basics of 2FA bypass. All the labs we’ll solve are from PortSwigger Web Security, and all the labs are linked with each other.
If you haven’t read the first part of this article, where we brute-forced the username and password to gain access to an account, please read that first.
In this lab, we already have the victim’s username and password, but the victim has activated 2FA security this time, and we need to bypass it to log in.
Please take a closer look at the screenshot above, which is our own account logged in as “wiener.” After logging in, we are prompted to enter a 4-digit code. As
you can see in the screenshot, there is an option labeled “Email Client” that we can click to obtain our 4-digit security code via email.
You can now clearly see in this screenshot that when we clicked on the email client option, we received the security code. We can use this code to log in to our account.
Now, in the screenshot above, you can clearly see that we have successfully logged into our account by entering the 4-digit security code.
Now, if you focus on the URL, we have a URL like etc.exploit-server.net/my-account. We will now try to log in to our victim’s account. However, when we are prompted for the security code, we will not provide it. Instead, we will manipulate the URL. Let’s see how to do that.
I have logged out of my own account and logged into Carlos’ account, who is our victim. However, Carlos has enabled 2FA security, and we do not have access to his email or phone number. If you look closely at the URL, it shows:
etc.web-security-academy.net/login2
At the end of the URL, it says /login2. When we successfully logged into our own account, it showed /my-account at the end. What will happen if we try to manipulate the victim’s URL by replacing /login2 with /my-account? Let’s see.
As you can see, we have successfully bypassed Carlos’ account’s 2FA security. We simply replaced /login2 with /my-account and were able to log in.
This method allowed us to manipulate the URL and bypass the 2FA security. Please note that this was a simple lab and bypassing it was easy. In future labs, we will use different techniques to solve the challenges.