Member-only story
How I Bypassed 2FA while Resetting Password
It was a private program on “Hackerone” , I had set target in my mind that I have to bypass 2fa, so I checked every method to bypass “Two Factor Authentication”
For Better understanding, I have divided this blog into two parts
1:Understanding the Functionality of Web Application.
2: Bypassing Two Factor Authentication.
Let’s Start
I can’t disclose the name of the Website, so let’s consider it “Target.com”
After checking all possible methods, I came to reset password functionality and I send a password reset link and opened it in my browser.
“https://abc.target.com/reset/<token>”
I entered the new password and clicked on next button and captured the request in burp.
Request:
POST /reset2fa HTTP/1.1
Host: abc.target.com
..
_csrf=<token>&reset_key=<key>&password=Test@123
After forwarding this request it redirected to 2fa page😓
Now I disabled 2fa from my account to check what is difference between both requests when 2fa is enabled&disabled.
Now-Again with the same steps, I requested for a new password.
Entered new password and captured request in burp.
Request
POST /reset HTTP/1.1
Host: abc.target.com
..
_csrf=<token>&reset_key=<key>&password=Test@123
After forwarding the request, It was redirected to dashboard.
BYPASS PART
By comparing requests I have noticed that “POST /reset” was redirecting to Dashboard while “POST /reset2fa” to 2fa page.
To bypass I enabled 2fa again and asked for reset password.
“https://abc.target.com/reset/<token>”
