2FA broken logic
To access the lab visit the following link:
This lab’s two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos’s account page.
- Your credentials:
wiener:peter - Victim’s username:
carlos
You also have access to the email server to receive your 2FA verification code.
Click on the given button to access the lab:
On the Lab’s homepage we can see “My account” option. Let’s click on that to attempt login.
Let’s login using correct credentials of wiener to capture the login request using burp.
As soon as we log in, we are asked to enter 4 digit security code.
We have “email client” button on top of the page. Click on it to access the email.
On Email client page we can see the security code provided is 1490.
Let’s enter that security code and login.
We are successfully logged in as wiener.
Let’s see the login requests in burp HTTP history. We can see three login requests captured by burp suite. Right click and send these requests one by one to repeater.
In repeater tab we can see the first login (POST) request. It has the username and password of wiener.
The second login (GET) request has a session token and it verifies the username entered. It has the username of wiener and it gets the 4 digit security code for that specific username which was sent to email of wiener.
The third login (POST) request has the security code entered for wiener and it logs in to the wiener’s account.
Let’s remove the session token from second request and send that to check the response of server.
The server responds by displaying a window asking us to enter the 4-digit security code for the user “wiener”. It indicates that the application can proceed further without validating session token.
Next, we will send the third request multiple times without the session token to check if the account lock mechanism is activated on the application. We observed that no account lock mechanism is implemented.
So we can brute force 4 digit security code for victim carlos.
To brute force the security code, we first need to send the 4-digit security code to the victim’s email. For example, to send the security code for the user “carlos,” we need to send the second request with the victim’s username as shown in the image below:
After sending the request, we can see the response asking for the 4-digit security code of “carlos.” This indicates that the server has sent the 4-digit code to the victim’s email. Now, we can attempt brute force on security code.
To Brute force security code we will send the third request that contains mfa-code to intruder.
In intruder position tab select Attack type to Sniper. Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the mfa-codeparameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
Navigate to the “Payloads” tab in Intruder. you can see the Payload tab in the intruder section as shown below.
In the “Payloads” section, make sure “Payload set 1” is selected, corresponding to the position you marked.
Under “Payload type”, select “Brute forcer”.
Under “Payload settings,” remove all characters other than digits from the character set. Set the length to 4 for both the Min length and Max length parameters.
Now that we have set all the payloads click on “start attack” button.
Burp Suite will start sending requests with each payload in our list and display the results in the Intruder tab.
In results we can differentiate requests on basis of Status code and one of the requests returns status code 302. We can see the mfa-code entered in the request.
When we view the response to this request, we can see the session cookie included in the response. We can use this cookie to bypass 2FA.
Navigate to Wiener’s account page. Right-click on the page and select “Inspect.”
Go to the “Application” tab and select “Cookies.” In the cookies section, paste the session cookies of “carlos” that we copied from the Intruder results. Right-click and delete any existing cookies.
Now, remove anything in the URL that comes after my-account as shown in the image below and reload the page.
And based on session cookies we are logged in as “carlos” and the lab is also marked as solved.
Congratulations! The walkthrough of Eighth authentication lab finishes here.
You can see walkthrough of Ninth lab by clicking the following link:
