Open in app

Sign in

Write

Sign in

Meghas
2 min readMay 18, 2021

--

Two factor authentication bypass

Two factor authentication is an added layer of security for authentication mechanism. Many applications use this feature and send otp via sms or emails. If not implemented properly, attackers can take advantage of this weakness. Below are few scenarios:

Scenario 1: OTP bypass using forceful browsing

1. Login into application using username and password.

2. Application navigates to otp page. Suppose application presents with homepage url: https://abc.com/dashboard/ after providing valid otp.

3. Without providing otp in step 2, directly open the dashboard url.

4. If application allows user to navigate to dashboard page, otp is bypassed.

Scenario 2: OTP bypass using response manipulation-I

  1. Login into application, application will send OTP to user either via sms or email.
  2. Provide wrong OTP and capture the response. Consider for wrong otp, application provides {status:false} in response.
  3. Change the response from false to true and observe the application behavior.
  4. Application will allow the user to login in case of missing validation.

Scenario 3: OTP bypass using response manipulation-II

1. Login into application and capture the response in proxy like burp suite.

2. Consider a response parameter which says {Status:true, Present2factor:true,…(Other parameters)}.

3. Remove the Present2factor parameter from response.

4. Application will not present the otp screen to user and will directly login into application.

Scenario 4: Reuse OTP

1. Login into application and provide the otp to login.

2. Logout and again login, reuse the previously used otp.

3. If application allows to login, one can reuse old OTP.

Scenario 5: Via parameter manipulation

1. Login into application and provide otp in next page.

2. Capture the above request.

3. Observe the parameters sent along with otp and which can be related to otp.

4. Consider there is parameter for deciding the time when otp was provided/created. Make a note of this parameter value and process the request.

5. Repeat step 1 and manipulate the time parameter value to same as noted above and change the otp to previously used value i.e. in step 1.

6. Observe application can process the request and will login the user.

Above scenario signifies one can reuse OTP by mentioning the previously generate/used time.

Scenario 6: OTP in response

1. Login into application by providing username and password.

2. Observe the response of above request.

3. There is possibility of otp getting leaked in response somewhere especially in the case of APIs.

These are few scenarios which one can tests while performing pentests. There can be other scenarios too based on application behavior.

Note: This article is for learning purpose only for security enthusiasts or those involved in pentests. Any unethical use of the information provided in this article is not advisable and may lead to punishable offence.

Application Security
Security
Web Application Security

--

--

Meghas

Written by Meghas

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams