Multi-Factor Authentication Vulnerabilities
Hi, my name is Hashar Mujahid and in this blog, we will discuss MFA and the most common MFA vulnerabilities that might occur.
So first thing first
WHAT IS MULTI-FACTOR AUTHENTICATION?
Many websites and organizations rely on single-factor authentication where a user can log into his account using only a password without any additional layer of security and validation. But as the social engineering attacks have become more and more sophisticated there is a dire need for an additional layer of security like multifactor authentication. In multi-factor authentication when a user enters his password with the intention to log in the web application sends a temporary code to the user’s verified email address and when the user enters the code only then he will be able to interact with his account.
WHAT ARE TWO-FACTOR AUTHENTICATION TOKENS?
The user often reads verification codes from a physical device of some kind. Many high-security websites now offer a specific device for this function, such as the RSA token or keypad device you could use to access your online banking or work laptop. These dedicated devices, in addition to being purpose-built for security, offer the added benefit of immediately generating the verification code. For the same reason, it is customary for websites to employ a specific mobile app, such as Google Authenticator.
Now we have to discuss some vulnerabilities that might occur in implementing multi-factor authentication.
Skipping the Verification Process Entirely:
When a user enters his password and the website prompts him to enter the MFA code It is worth checking if you can directly access the account by skipping the MFA process.
For Example:
Let’s suppose the user enters his password in /login page and after that web redirects the user to /mfa-verification you can try changing the URL from /mfa-verification to /dashboard .
We have to access the victim’s ( Carlos ) account page by bypassing the MFA.
Let's log in with the credentials provided to us.
Let’s change /login2 to / .
we can see we are totally logged in.
Flawed two-factor verification logic:
When two-factor authentication logic is defective, the website may fail to appropriately verify that the same user is completing the second step after the user has done the first.
For Example:
The user logs in with the password in the second step application assigns a cookie to track if the action is performed by the same user.
HTTP/1.1 200 OK
Set-Cookie: account=carlos ==> Pridictable value.
An attacker can start a valid login process with his account but change the cookie value to the victim and log in as the victim.
After logging in we will receive a code on our email client.
Enter the code and intercept the request with burp suite.
Now send this request to the repeater and change the request method to GET change the verify cookie to Carlos so an MFA code is generated for Carlos.
Now, all we need is to brute force that MFA code.
Go to the login page and enter your username and password. Then, submit an invalid 2FA code. Send the POST /login2 to the intruder and change the verification to Carlos. and brute force the MFA code.
Start a brute-force attack.
We can copy the session and replace it with our current value.
In next part we will learn some advanced techniques to bypass MFA systems
I highly recommend solving portswiggers labs for practicing these techniques.
Till Then Happy Hacking ❤
