2FA broken logic


This lab’s two-factor authentication is vulnerable due to its flawed logic.

Reproduction and proof of concept

  1. With Burp running, log in with wiener:peter and investigate the 2FA verification process. Notice that in the POST /login2 request, the verify parameter is used to determine which user’s account is being accessed.


  1. Log out of your account.

  2. Send the GET /login2 request to Burp Repeater. Change the value of the verify parameter to carlos and send the request. This ensures that a temporary 2FA code is generated for Carlos.

  3. Go to the login page and enter your username and password. Then, submit an invalid 2FA code.

  4. Send the POST /login2 request to Burp Intruder.

  5. In Burp Intruder, set the verify parameter to carlos and add a payload position to the mfa-code parameter. Brute-force the verification code.


  1. Load the 302 response in your browser.



An attacker will need to make sure a MFA-code verification code is generated for user carlos by issuing a GET request to login2, then bruteforce the POST request to login2 using the Payload type: Brute forcer