2FA-Bypass-Techniques
1 Response Manipulation
2 Status Code Manipulation
3 2FA Code Leakage in Response
4 JS File Analysis
5 2FA Code Reusability
6 Lack of Brute-Force Protection
@TodayCyberNews
#bugbounty #bugbountytips #bugbountytip #cybersecurity #infosec #2FA #bypass
1 Response Manipulation
2 Status Code Manipulation
3 2FA Code Leakage in Response
4 JS File Analysis
5 2FA Code Reusability
6 Lack of Brute-Force Protection
@TodayCyberNews
#bugbounty #bugbountytips #bugbountytip #cybersecurity #infosec #2FA #bypass
7 Missing 2FA Code Integrity Validation
8 CSRF on 2FA Disabling
9 Password Reset Disable 2FA
10 Backup Code Abuse
11 Clickjacking on 2FA Disabling Page
12 Enabling 2FA doesn't expire Previously active Sessions
13 Bypass 2FA with null or 000000
8 CSRF on 2FA Disabling
9 Password Reset Disable 2FA
10 Backup Code Abuse
11 Clickjacking on 2FA Disabling Page
12 Enabling 2FA doesn't expire Previously active Sessions
13 Bypass 2FA with null or 000000
1.) Response Manipulation
In response if
"success":false
Change it to
"success":true
In response if
"success":false
Change it to
"success":true
2.) Status Code Manipulation
If Status Code is 4xx
Try to change it to 200 OK
and see if it bypass restrictions
If Status Code is 4xx
Try to change it to 200 OK
and see if it bypass restrictions
3.) 2FA Code Leakage in Response
Check the response of the 2FA Code Triggering Request to see if the code is leaked.
Check the response of the 2FA Code Triggering Request to see if the code is leaked.
4.) JS File Analysis
Rare but some JS Files may contain info about the 2FA Code
Rare but some JS Files may contain info about the 2FA Code
5.) 2FA Code Reusability
Same code can be reused
Same code can be reused
6.) Lack of Brute-Force Protection
Possible to brute-force any length 2FA Code
Possible to brute-force any length 2FA Code
7.) Missing 2FA Code Integrity Validation
Code for any user acc can be used to bypass the 2FA
Code for any user acc can be used to bypass the 2FA
8.) CSRF on 2FA Disabling
No CSRF Protection on disabling 2FA, also there is no auth confirmation
No CSRF Protection on disabling 2FA, also there is no auth confirmation
9.) Password Reset Disable 2FA
2FA gets disabled on password change/email change
2FA gets disabled on password change/email change
10.) Backup Code Abuse
Bypassing 2FA by abusing the Backup code feature
Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
Bypassing 2FA by abusing the Backup code feature
Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
11.) Clickjacking on 2FA Disabling Page
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
12.) Enabling 2FA doesn't expire Previously active Sessions
If the session is already hijacked and there is a session timeout vulnerability
If the session is already hijacked and there is a session timeout vulnerability
13.) Bypass 2FA with null or 000000
Enter the code 000000 or null to bypass 2FA protection.
Enter the code 000000 or null to bypass 2FA protection.
Loading suggestions...