About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Better 2FA Bug hunting Approach- 501

admiralarjunPosted 4 Years Ago
  • Instead of having only a password, lots of sites have the option to use an additional way to validate the users identity. This is called multi-factor authentication. Being able to bypass an MFA is part of the process to account compromise. This small article has a list of MFA test cases.
  • The first (obvious) issue is is lack of rate limiting. A few interesting attacks here:
    • Brute forcing the OTP with an unlimited amount of requests.
    • Creating an unlimited amount of OTP codes where the previous ones do not expire.
    • Bypassing the rate limiting, depending on the restriction.
  • Besides the obvious attacks, there can be issues with the logic.
    • The OTP's can be reused. Reused from different actions, or reused from other users.
    • Old OTP tokens
    • Client side validation only.
    • OTP is leaked in headers or error messages.
  • There are some other interesting session management handling issues as well.
    • 2FA does not need to be used to disable 2FA. Interesting attack!
    • No 2FA on sensitive actions such as password resets, resetting a password or something else.
    • Different APIs on web and mobile.
  • Overall, there are some interesting test cases in here to consider. Coming up with ideas for this is complicated to do!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed