Two FA Bypass

Second Factor Authentication (2FA) Bypass

Overview of the Vulnerability

Incorrectly implemented Second Factor Authentication (2FA) mechanisms can be bypassed through manipulation of the form, modifying the given URL parameters, or by counterfeiting the session. The 2FA mechanism for this application can be bypassed by an attacker who can gain access to the application through a user’s account and impersonate users.

The attacker is only limited by the permissions of the user account they access, including Administrator users. This could include viewing or editing sensitive customer data, viewing or editing other user permissions, and taking over other user accounts or elevating privileges.

Business Impact

Bypassing 2FA mechanisms could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. Attempt to sign in to the application

4. Intercept the 2FA request using the HTTP interception proxy

5. Modify the body of the request (as below) and forward it to the endpoint:

{{request}}

1. Observe that the 2FA mechanism has been bypassed and a successful login has occurred

Proof of Concept (PoC)

The screenshot below demonstrates that 2FA has been bypassed:

{{screenshot}}

Guidance

For a 2FA bypass, please include a step-by-step walkthrough that can be executed to easily demonstrate and reproduce the issue.

Attempt to escalate the 2FA bypass to perform additional actions (such as an account takeover or perform user enumeration to perform the 2FA bypass on a more privileged account). If this is possible, provide a full Proof of Concept (PoC).

Recommendation(s)

Authentication bypass can be remediated by implementing a handful of best practices relating to authentication and session management to ensure secure implementation. These include:

• Keeping all systems, software and operating systems up-to-date with a repeatable patch management process

• Validate all user input server-side

• Ensure that the authentication mechanisms and logic are robust and that each request for a resource passes through an authorization process

The verification logic of the application, as well as all of the above, should be thoroughly tested during the development and QA phases of an application build.

For further information, refer to Open Web Application Security Project(OWASP) guides located at:

• https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html

• https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

• https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/