MFA
Common flaws
# Lack of rate limit
- Exploitation:
1. Request 2FA code and capture this request.
2. Repeat this request for 100–200 times and if there is no limitation set, that’s a rate limit issue.
3. At 2FA Code Verification page, try to brute-force for valid 2FA and see if there is any success.
4. You can also try to initiate, requesting OTPs at one side and brute-forcing at another side. Somewhere the OTP will match in middle and may give you a quick result.
# Rate limit bypass
# Limiting the flow rate
# Generated OTP code doesn’t change
# Rate-limit resetting when updating the code
# Bypassing the rate limit by changing the IP address
# Support for X-Forwarded-For turned on
# Bypass replacing part of the request from the session
# Bypass using the "Remember Me" functionality
# If 2FA is attached using a cookie, the cookie value must be unguessable
# If 2FA is attached to an IP address, you can try to replace your IP address
# Improper access control bug on the 2FA dialog page
# Insufficient censorship of personal data on the 2FA page
# Ignoring 2FA under certain circumstances.
# 2FA ignoring when recovering a password
# Ignoring 2FA when entering through a social network
# Ignoring 2FA in an older version of the application
# Ignoring 2FA in case of cross-platforming
# When disabling 2FA, the current code or password is not requested
# Previously created sessions remain valid after activation of 2FA
# Lack of Rate-limit in the user’s account (OTP is validated, but user's id not)
# Manipulation of API’s versions
# Improper Access Control in the backup codes request
# Response body manipulation
# HTTP Response Status Code Manipulation
# Code Leakage in Response
# Direct Request/Forceful Browsing
- Exploitation:
1. Normal flow: Login -> MFA -> Profile
2. Attack: Login -> MFA, instead input MFA navigate to Profile
# Cached OTP in Dynamic JS Files
# OTP Code Reusability
Mindmaps
![](https://cyb3r.gitbook.io/~gitbook/image?url=https%3A%2F%2F3869391553-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FDMM6SCLTDlo5fkDXCdeU%252Fuploads%252Fgit-blob-9426e48058c319583391b545f493923b621c6b00%252Fimage%2520%289%29.png%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=450350c6&sv=2)
![](https://cyb3r.gitbook.io/~gitbook/image?url=https%3A%2F%2F3869391553-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FDMM6SCLTDlo5fkDXCdeU%252Fuploads%252Fgit-blob-2bff579873c0281e1d9995134104da5aff7e2a19%252Fimage%2520%288%29.png%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=563e77e1&sv=2)
![](https://cyb3r.gitbook.io/~gitbook/image?url=https%3A%2F%2F3869391553-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FDMM6SCLTDlo5fkDXCdeU%252Fuploads%252Fgit-blob-ab3efdc7f4127b546eae62bb8844dd3aa77c6989%252Fmfa.png%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=86274ac3&sv=2)
https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35
https://blog.cobalt.io/bypassing-the-protections-mfa-bypass-techniques-for-the-win-8ef6215de6ab
Last updated