Account Takeover/mfa-bypass.md
Multi-Factor Authentication (MFA) is a security measure that requires users to provide two or more verification factors to gain access to a system, application, or network. It combines something the user knows (like a password), something they have (like a phone or security token), and/or something they are (biometric verification). This layered approach enhances security by making unauthorized access more difficult, even if a password is compromised. MFA Bypasses are techniques attackers use to circumvent MFA protections. These methods can include exploiting weaknesses in MFA implementations, intercepting authentication tokens, leveraging social engineering to manipulate users or support staff, or exploiting session-based vulnerabilities.
If response is "success":false
Change it to "success":true
If Status Code is 4xx Try changing it to 200 OK and see if it bypass restrictions
Check the response of the 2FA Code Triggering Request for leaked code.
Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
Same code can be reused
Possible to brute-force any length 2FA Code
Code for any user account can be used to bypass the 2FA
No CSRF Protection on disabling 2FA, also there is no auth confirmation
2FA gets disabled on password change/email change
Bypassing 2FA by abusing the Backup code feature Use the above-mentioned techniques to bypass the Backup Code to remove/reset 2FA restrictions
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
If the session is already hijacked and there is a session timeout vulnerability
If the application redirects to /my-account url upon login while 2FA is disabled, try replacing /2fa/verify with /my-account while 2FA is enabled to bypass verification.
Enter the code 000000 or null to bypass 2FA protection.
{
"otp":[
"1234",
"1111",
"1337", // GOOD OTP
"2222",
"3333",
"4444",
"5555"
]
}