🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Introduction
  • Common 2FA Bypass Techniques
  • Index of Techniques
  • 1. Response Manipulation
  • Exploitation
  • 2. Status Code Manipulation
  • Exploitation
  • 3. 2FA Code Leakage in API Responses
  • Exploitation
  • 4. JavaScript File Analysis
  • Exploitation
  • 5. 2FA Code Reusability
  • Exploitation
  • 6. Lack of Brute-Force Protection
  • Exploitation
  • 7. Missing 2FA Code Integrity Validation
  • Exploitation
  • 8. CSRF on 2FA Disabling
  • Exploitation
  • 9. Password Reset Disables 2FA
  • Exploitation
  • 10. Backup Code Abuse
  • Exploitation
  • 11. Clickjacking on 2FA Disabling Page
  • Exploitation
  • 12. Enabling 2FA Does Not Expire Active Sessions
  • Exploitation
  • 13. Bypassing 2FA with null or 000000
  • Exploitation
  • Further Reading
  • Authors
  1. Authentication Bypass

2FA Bypasses

PreviousApplication Level DoS MethodsNextOTP Bypass

Last updated 1 month ago

Introduction

Two-Factor Authentication (2FA) is a security mechanism designed to add an extra layer of protection by requiring users to provide an additional verification code after entering their credentials. However, improper implementations of 2FA can introduce various security flaws that allow attackers to bypass authentication.

This document outlines common 2FA bypass techniques, including response manipulation, brute-force attacks, backup code abuse, and session hijacking. Each method is detailed with examples and exploitation steps.

For a visual reference, a provides an overview of different attack vectors.


Common 2FA Bypass Techniques

Index of Techniques

#

Technique

1

Response Manipulation

2

Status Code Manipulation

3

2FA Code Leakage in Response

4

JavaScript File Analysis

5

2FA Code Reusability

6

Lack of Brute-Force Protection

7

Missing 2FA Code Integrity Validation

8

CSRF on 2FA Disabling

9

Password Reset Disables 2FA

10

Backup Code Abuse

11

Clickjacking on 2FA Disabling Page

12

Enabling 2FA Without Expiring Active Sessions

13

Bypass 2FA with null or 000000


1. Response Manipulation

Some 2FA implementations return a JSON response indicating whether authentication was successful. Altering the response can bypass restrictions.

Exploitation

  • Intercept the response using Burp Suite or a browser's developer tools.

  • Look for a response like:

    { "success": false }
  • Change it to:

    { "success": true }
  • If client-side validation is weak, access is granted.


2. Status Code Manipulation

Some applications rely on HTTP status codes to determine authentication success.

Exploitation

  • If a 4xx error (e.g., 401 Unauthorized) is received after entering a wrong 2FA code, modify the response to:

    HTTP/1.1 200 OK
  • Some applications may grant access even if authentication failed.


3. 2FA Code Leakage in API Responses

Some applications accidentally leak the 2FA code in their API response.

Exploitation

  • Intercept the request triggering the 2FA code.

  • Examine the API response.

  • If the response contains:

    { "otp": "123456" }
    • The attacker can directly use the leaked OTP.


4. JavaScript File Analysis

Some applications store 2FA-related logic in JavaScript files.

Exploitation

  • Check for exposed .js files in the application.

  • Look for sensitive hardcoded values like:

    var otp = "123456";
  • Attackers can extract OTP verification logic or static OTPs.


5. 2FA Code Reusability

Some applications do not expire OTPs after use, allowing attackers to reuse them.

Exploitation

  • Obtain a valid OTP from a previous session.

  • Attempt to reuse the same OTP for authentication.

  • If the system does not enforce one-time use, the old OTP grants access.


6. Lack of Brute-Force Protection

Applications that do not limit OTP attempts allow brute-forcing.

Exploitation

  • Identify the number of OTP digits (commonly 4-6).

  • Use a tool like Burp Intruder to brute-force:

    000000 - 999999
  • Weak OTP validation allows attackers to guess the correct OTP.


7. Missing 2FA Code Integrity Validation

Some systems accept any valid OTP, even from different accounts.

Exploitation

  • Obtain a valid OTP for Account A.

  • Use the same OTP to authenticate Account B.

  • If the system does not verify OTP ownership, access is granted.


8. CSRF on 2FA Disabling

Some applications lack CSRF protection when disabling 2FA.

Exploitation

  • Construct a malicious request to disable 2FA:

    <form action="https://victim-site.com/disable-2fa" method="POST">
        <input type="hidden" name="disable" value="true">
        <input type="submit" value="Click to win a prize!">
    </form>
  • Trick the victim into clicking the form, disabling their 2FA.


9. Password Reset Disables 2FA

Some systems disable 2FA when a user resets their password.

Exploitation

  • If an account has 2FA enabled, attempt a password reset.

  • Check if 2FA is still active after resetting the password.

  • If 2FA is disabled, log in without 2FA authentication.


10. Backup Code Abuse

Backup codes provide alternative login options when OTP is unavailable.

Exploitation

  • If backup codes are stored insecurely, they can be leaked or stolen.

  • Some applications do not expire backup codes after use, allowing repeated exploitation.


11. Clickjacking on 2FA Disabling Page

Some applications allow 2FA to be disabled without additional verification.

Exploitation

  • Load the 2FA disabling page in an <iframe>.

  • Trick the victim into clicking the iframe (e.g., by overlaying it over an attractive button).

  • 2FA is disabled without the victim realizing it.


12. Enabling 2FA Does Not Expire Active Sessions

In some applications, enabling 2FA does not log out active sessions.

Exploitation

  • If an attacker hijacks a session before 2FA is enabled, they retain access even after 2FA is enforced.

  • Attackers can maintain persistence despite 2FA protection.


13. Bypassing 2FA with null or 000000

Some poorly implemented 2FA mechanisms accept default or empty codes.

Exploitation

  • Enter null, 000000, or similar default values in the OTP field.

  • If the system accepts these values, authentication is bypassed.


Further Reading


Authors


by NCC Group

Enhanced and reformatted for HowToHunt repository by

2FA Bypass Mindmap
Testing Two-Factor Authentication
Harsh Bothra
Vishal Saini
remonsec