🤯
Mazin
  • 🤔INTRODUCTION
    • Whoami
  • ☀️Notes
    • Leaked Credentials
    • IIS
    • CMS
    • pentesting4arabs
    • 2FA Bypass
    • Android
    • Monitor CVEs
    • Shodan Queries
    • Sites & Repos for bug hunting
    • Sites for scanning & etc
  • 🔥CTFS
    • Sites to solve Ctfs
    • HTB Apoc 2023
  • 💸Bug Bounty Writeups
    • Origin IP Access WAF Bypass
    • My First Big Bounty
    • Exposed Docker Registry
    • Squarespace Subdomain Takeover
Powered by GitBook
On this page
  1. Notes

2FA Bypass

cool 2fa bypass tips i saw

Previouspentesting4arabsNextAndroid

Last updated 9 months ago

1. Response and Status code Manipulation

  1. 2FA Bypass Via Reset Password

  2. Clickjacking on 2FA Disable Feature

  3. CSRF on 2FA Disable Feature

  4. 2FA Code Reusability

  5. 2FA Referrer Check Bypass : Sometimes the server check the Referrer Header to see if you came it from an authenticated url(page) or not

  6. 2FA Code Leakage in Response

  7. Missing 2FA Code Integrity Validation : here the server check if code correct or not , not validate which user made the request

  8. 2FA bypass by sending blank code

  9. Password not checked when disabling 2FA: when asking for Password , enter wrong password and forward the request

  10. Enable 2FA without verifying the email

  11. Bypass 2FA with null or 000000 or 0000

  12. 2FA bypass by sending blank code

☀️
https://medium.com/@Az3m/bypassing-two-factor-f2d0f9bea39d
https://web.archive.org/web/20230817153406/https://h0tak88r.github.io/posts/Multi-Factor-Authentication-%282FA%29-Security-Testing/
https://0xm5awy.medium.com/10-2fa-bypasses-discovered-on-a-single-program-and-page-422652a14fa
https://muhammad-aamir.medium.com/2fa-secret-cannot-be-rotated-a-vulnerability-explained-for-bug-bounty-093fd2eb1486