HackTricks Press
Search K

Appearance

2FA/OTP Bypass โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

WhiteIntel โ€‹

WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for free at:

โ›“๏ธ External Link
https://whiteintel.io

Enhanced Two-Factor Authentication Bypass Techniques โ€‹

Direct Endpoint Access โ€‹

To bypass 2FA, access the subsequent endpoint directly, knowing the path is crucial. If unsuccessful, alter the Referrer header to mimic navigation from the 2FA verification page.

Token Reuse โ€‹

Reutilizing previously used tokens for authentication within an account can be effective.

Utilization of Unused Tokens โ€‹

Extracting a token from one's own account to bypass 2FA in another account can be attempted.

Exposure of Token โ€‹

Investigate whether the token is disclosed in a response from the web application.

Using the email verification link sent upon account creation can allow profile access without 2FA, as highlighted in a detailed post.

Session Manipulation โ€‹

Initiating sessions for both the user's and a victim's account, and completing 2FA for the user's account without proceeding, allows an attempt to access the next step in the victim's account flow, exploiting backend session management limitations.

Password Reset Mechanism โ€‹

Investigating the password reset function, which logs a user into the application post-reset, for its potential to allow multiple resets using the same link is crucial. Logging in with the newly reset credentials might bypass 2FA.

OAuth Platform Compromise โ€‹

Compromising a user's account on a trusted OAuth platform (e.g., Google, Facebook) can offer a route to bypass 2FA.

Brute Force Attacks โ€‹

Rate Limit Absence โ€‹

The lack of a limit on the number of code attempts allows for brute force attacks, though potential silent rate limiting should be considered.

Slow Brute Force โ€‹

A slow brute force attack is viable where flow rate limits exist without an overarching rate limit.

Code Resend Limit Reset โ€‹

Resending the code resets the rate limit, facilitating continued brute force attempts.

Client-Side Rate Limit Circumvention โ€‹

A document details techniques for bypassing client-side rate limiting.

Internal Actions Lack Rate Limit โ€‹

Rate limits may protect login attempts but not internal account actions.

SMS Code Resend Costs โ€‹

Excessive resending of codes via SMS incurs costs to the company, though it does not bypass 2FA.

Infinite OTP Regeneration โ€‹

Endless OTP generation with simple codes allows brute force by retrying a small set of codes.

Race Condition Exploitation โ€‹

Exploiting race conditions for 2FA bypass can be found in a specific document.

CSRF/Clickjacking Vulnerabilities โ€‹

Exploring CSRF or Clickjacking vulnerabilities to disable 2FA is a viable strategy.

"Remember Me" Feature Exploits โ€‹

Guessing the "remember me" cookie value can bypass restrictions.

IP Address Impersonation โ€‹

Impersonating the victim's IP address through the X-Forwarded-For header can bypass restrictions.

Utilizing Older Versions โ€‹

Subdomains โ€‹

Testing subdomains may use outdated versions lacking 2FA support or contain vulnerable 2FA implementations.

API Endpoints โ€‹

Older API versions, indicated by /v*/ directory paths, may be vulnerable to 2FA bypass methods.

Handling of Previous Sessions โ€‹

Terminating existing sessions upon 2FA activation secures accounts against unauthorized access from compromised sessions.

Access Control Flaws with Backup Codes โ€‹

Immediate generation and potential unauthorized retrieval of backup codes upon 2FA activation, especially with CORS misconfigurations/XSS vulnerabilities, poses a risk.

Information Disclosure on 2FA Page โ€‹

Sensitive information disclosure (e.g., phone number) on the 2FA verification page is a concern.

Password Reset Disabling 2FA โ€‹

A process demonstrating a potential bypass method involves account creation, 2FA activation, password reset, and subsequent login without the 2FA requirement.

Decoy Requests โ€‹

Utilizing decoy requests to obfuscate brute force attempts or mislead rate limiting mechanisms adds another layer to bypass strategies. Crafting such requests requires a nuanced understanding of the application's security measures and rate limiting behaviors.

References โ€‹

WhiteIntel โ€‹

WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for free at:

โ›“๏ธ External Link
https://whiteintel.io

P

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: