Pentest Book
Search…
MFA

Common flaws

1
# Lack of rate limit
2
- Exploitation:
3
1. Request 2FA code and capture this request.
4
2. Repeat this request for 100–200 times and if there is no limitation set, that’s a rate limit issue.
5
3. At 2FA Code Verification page, try to brute-force for valid 2FA and see if there is any success.
6
4. You can also try to initiate, requesting OTPs at one side and brute-forcing at another side. Somewhere the OTP will match in middle and may give you a quick result.
7
# Rate limit bypass
8
# Limiting the flow rate
9
# Generated OTP code doesn’t change
10
# Rate-limit resetting when updating the code
11
# Bypassing the rate limit by changing the IP address
12
# Support for X-Forwarded-For turned on
13
# Bypass replacing part of the request from the session
14
# Bypass using the "Remember Me" functionality
15
# If 2FA is attached using a cookie, the cookie value must be unguessable
16
# If 2FA is attached to an IP address, you can try to replace your IP address
17
# Improper access control bug on the 2FA dialog page
18
# Insufficient censorship of personal data on the 2FA page
19
# Ignoring 2FA under certain circumstances.
20
# 2FA ignoring when recovering a password
21
# Ignoring 2FA when entering through a social network
22
# Ignoring 2FA in an older version of the application
23
# Ignoring 2FA in case of cross-platforming
24
# When disabling 2FA, the current code or password is not requested
25
# Previously created sessions remain valid after activation of 2FA
26
# Lack of Rate-limit in the user’s account (OTP is validated, but user's id not)
27
# Manipulation of API’s versions
28
# Improper Access Control in the backup codes request
29
# Response body manipulation
30
# HTTP Response Status Code Manipulation
31
# Code Leakage in Response
32
# Direct Request/Forceful Browsing
33
- Exploitation:
34
1. Normal flow: Login -> MFA -> Profile
35
2. Attack: Login -> MFA, instead input MFA navigate to Profile
36
# Cached OTP in Dynamic JS Files
37
# OTP Code Reusability
Copied!

Mindmaps

1
https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35
2
https://blog.cobalt.io/bypassing-the-protections-mfa-bypass-techniques-for-the-win-8ef6215de6ab
Copied!
Last modified 9mo ago
Export as PDF
Copy link