Skip to main content
HashnodeCyber SeklerCyber Sekler

Command Palette

Search for a command to run...

Web Application Account Compromise via 2FA Bypass

Updated
2 min read
Web Application Account Compromise via 2FA Bypass
C
Cyber Sekler

Overview

During a penetration test of a web application, I identified a flawed two-factor authentication implementation that could be bypassed using brute-force techniques. This finding demonstrates that poorly implemented two-factor authentication (2FA) can provide a false sense of security while remaining vulnerable to bypasses.

Objective

The objective of the engagement was to assess the security of a web application authentication mechanism. Testing was performed in a grey-box context, with credential pairs provided to provide access. The focus was on the login and two-factor authentication (2FA) verification workflow.

Discovery

While testing the 2FA flow, I observed that one-time codes were delivered to users via email. I noticed that a previously issued 2FA code remained valid far longer than expected. I was able to reuse a code that had been generated approximately one day earlier, which indicated that the code expiry window was either excessive or not enforced.

This observation prompted further testing of defensive controls commonly associated with 2FA implementations. I first tested whether repeated incorrect submissions would trigger an account lockout. I submitted several invalid codes, starting with three attempts and gradually increasing to five and beyond. No lockout behaviour was observed.

I then tested for rate limiting by sending increasing numbers of consecutive 2FA verification requests. Even after sending 50, 100, and then 150 requests in a short period, there was no indication that rate limiting was in place.

With no evidence of code expiry enforcement, lockout thresholds, or rate limiting, I moved on to assessing the strength and randomness of the generated 2FA codes. By reviewing multiple previously received codes, I observed that the values were numerically close to one another. This suggested insufficient randomness and a reduced effective keyspace.

To validate this, I submitted an invalid 2FA code and intercepted the verification request using Burp Suite. This request was then configured for brute-force testing using Burp Intruder.

The attack was performed by iterating through numeric values, starting from zero, rather than limiting the attack to the observed range. This was done deliberately to demonstrate the broader risk of the implementation rather than relying on optimisation.

During the attack, one response differed from the others, indicating a successful verification. This confirmed that the correct 2FA code had been identified through brute force, allowing authentication to complete successfully.

At this point, the 2FA control had been fully bypassed, and unauthorised access to the application was achieved.

Takeaway

Two-factor authentication must be implemented with strict code expiry, strong randomness, rate limiting, and lockout controls. Poorly implemented 2FA can undermine the additional layer of security it is meant to provide after password authentication.

#2fa#hacking#pentesting#penetration-testing#cybersecurity-1

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

Cyber Sekler

7 posts