2FA broken logic
This lab’s two-factor authentication is vulnerable due to its flawed logic.
Reproduction and proof of concept
With Burp running, log in with
wiener:peterand investigate the 2FA verification process. Notice that in the
POST /login2request, the
verifyparameter is used to determine which user’s account is being accessed.
Log out of your account.
GET /login2request to Burp Repeater. Change the value of the
carlosand send the request. This ensures that a temporary 2FA code is generated for Carlos.
Go to the login page and enter your username and password. Then, submit an invalid 2FA code.
POST /login2request to Burp Intruder.
In Burp Intruder, set the
carlosand add a payload position to the
mfa-codeparameter. Brute-force the verification code.
302response in your browser.
An attacker will need to make sure a MFA-code verification code is generated for user
carlos by issuing a GET request to
login2, then bruteforce the POST request to
login2 using the Payload type: Brute forcer