Hackzzz - The Notebook

2FA simple bypass

https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass

Level: Apprentice

This is just a simple 2FA Bypass, that it.
First, start authenticating to see what we can do with it.

Okay once we put the password and username, it tells us that an email has been sent to the respective user email.

Just to see what I can modify I put the 4-digit pin into it.
Nothing interesting for now.

Knowing that is a simple 2FA Bypass, I've seen that once you log in with the user credentials there is a /login2
So, try to change it to /my-account or /login1 to see what can happen.

Just getting out the /login2 you get into the user account, that's how simple it is.

PreviousUsername enumeration via different responses NextPassword reset broken logic

Last updated 1 year ago