2FA Broken Logic

Exploiting the broken logic for 2FA

In this post, we will see how insecure logic for 2-Factor-Authentication or 2FA can lead to gaining unauthorized access to other accounts

In this we will use the PortSwigger academy lab for demonstrations

Lab: 2FA broken logic | Web Security AcademyWebSecAcademy

Demonstration

Note - Turn on the BurpSuite and intercept the traffic in the background for later analysis.

Login with the credentials provided.

wiener - peter

Enter any invalid code. Now check the BurpSuite history.

We can see that there is a POST request for /login2, in that there is a 'verify' parameter that checks the username and mfa-code for the 2FA code. Logout of the user wiener that send that POST request to repeater.

In that change the 'verify' parameter to our target user 'carlos'. Then send the request.

In the response, observe that it asks for the 4 digit 2FA codes. This indeed means that we've logged in as user carlos.

Right click on the request and select 'Show response in browser'. Copy & paste the generated link in the browser.

Enter invalid OTP and send it. Check the request in the burp.

Send this request to Intruder.

Clear the highlighted.

Change the username to carlos. Select the value of mfa-code and click on 'Add'. This will add the $ to the value.

Select the payload type to numbers. And sequential type range from 1000-9999 because code if of 4 digit. Then put the step value as 1. Start the attack.

Now filter the status by clicking on it, that will display the 302 request. Right click on it and select 'Show response in browser'. Paste the link.

Lab Solved