Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Multi-factor authentication is when multi-means of authentication must be used in order to login: the three categories are something you know (like a password), something you have (2FA code) or something you are (biometrics). Usually, this is a password then something else.

A common form of MFA is to have a code that is 4-6 digits long submitted from either a text message or a different app on the phone. If you could bypass one of these, then you are bypassing authentication entirely.

Because of the sensitive nature of the verification API of the 4-6 digit code, this should have brute force protections on it. Otherwise, you can guess the code with enough tries. So, what if you could bypass the brute force protections?

In this write up, the author used the X-Forwarded-For header in order to change the IP address being used for the brute force protections. So, if one IP gets blocked, you can just switch to the next with the X-Forwarded-For header. This is an interesting bypass that is probably built into frameworks without people even realizing it.