mfa bypass in private program, the abdulsec way
Hi , i hope you are doing well , it’s been a while since my last write up , today i wanna share with you a technique that i used to bypass a multi factor authentication in a private program
Tools used:
burp community and firefox
first
when you login in to your account and you enable Two-factor authentication , and logout
if you login the next time you will redirect to setup Two-factor authentication
second
when you login to an account that has completely setup the mfa you will be redirect to challenge page where to have to enter a valid code composed of (6) number , don't even think about to brute force as it’s not sms based mfa
after i analyzed the different response between an account that has two-factor authentication , and an account that has enabled 2fa but didn’t set up it i have found the different are only the response header
X-Mfa-Redirect: mfaChallengePage and X-Mfa-Redirect: mfaSetupPage
to bypass the 2fa , i have modified the response header X-Mfa-Redirect: to redirect to mfaSetupPage insted of mfaChallengePage
Step to Reproduce
- in burp suite , go to proxy > options — match and replace
- add response header , match : mfaChallengePage and replace : mfaSetupPage
- login in your victim account that has two-factor authentication
- you will redirect to setup a new 2fa
- finish to setup the mfa and you will redirect to your victim account without having a valid mfa code
- boom you have successfully bypassed the two factor authentication
thank you so much ,
if you liked this write-up follow me in twitter , you can also buy me a coffee
https://www.buymeacoffee.com/abdulsec
timeline
Submitted: 16 Oct 2021 01:39:34 UTC
rewarded :$600 19 Oct 2021 13:53:15 UTC
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!