Notes:

• the thing to learn is sometimes, 2FA can have no proper verification step. after the first step of putting password we might be in a state of logged in, and if we try to navigate to some page that requires login we can directly skip to that page.

• Flawed two-factor verification logic

  • This lab showcases a flaw in two-factor authentication logic. After the user completes the initial login step, the website assigns a cookie related to their account. When submitting the verification code, the site uses this cookie to identify which account the user is accessing. An attacker could exploit this flaw by changing the cookie value to an arbitrary username, which allows them to bypass the password step and directly brute-force the 2FA code for that user.
    • Once logged into your own account by POST /login, you can manipulate the "verify" parameter in the /login2 GET request to impersonate another user, in this case, Carlos. This tricks the system into sending a 2FA code for Carlos's account. After triggering this, even while using your own login credentials, you can brute-force the MFA code. Once the correct 2FA code is identified by a 302 response in Burp Intruder, you access it in a browser, effectively logging into Carlos's account without ever needing his password.
    • how can we know the password of the user? the vulnerability is in the 2FA mechanism, not the password authentication. The exploit bypasses the need for Carlos's password altogether, allowing an attacker to gain access with only the 2FA code.
  • Flawed logic in two-factor authentication can allow attackers to bypass the initial authentication step and brute-force the verification code, granting them access to other users' accounts based solely on their usernames. like how in this case, the authentication mechanism, the 2fa code which account request it, that logic was flawed. through that, we were able to bruteforce it. Changing a user-specific cookie or parameter post-login can exploit 2FA logic, allowing access without the target’s password.

• Brute-forcing 2FA verification codes

  • Lab demonstrates that, 2FA codes can still be bruteforced if it has protection in place, like this lab. the 2fa login page got logged out on 2 wrong attempts and requires the user logs in again. this can be automated using burp’s session handling and intruder
    • log in as Carlos to see the 2FA process. on 2 wrong tries, it logs out. Settings>Sessions>Session Handling Rules>Add>Scope>Include All URLs. same tab, now Details section, Rule Actions>Add>Run a Macro>Add GET /login, POST /login with Carlos's creds, and GET /login2
    • Test the macro, send the wrong 2FA attempt (POST /login2) to Burp Intruder and position as the 2fa code and payload as numbers from 0-9999, min/max integer as 4 and min/max fractions as 0. run the attack.
  • This shows how brute-forcing a 4-digit 2FA code can be streamlined with Burp’s session handling. Burp Suite's macros and session handling rules to automate multi-step processes

• 2FA simple bypass

  • This lab demonstrates a straightforward method to skip the 2FA check using direct navigation.
    • Login with your creds (wiener:peter), get your 2FA code via email. Note down the URL of your account page. Logout, then log in as Carlos (carlos:montoya). At the 2FA prompt, tweak the URL to jump straight to /my-account.
    • Lab solved when Carlos's account page loads without needing his 2FA code.
  • Directly navigating to sensitive pages without completing all auth steps exposes a critical security flaw, bypassing 2FA.