2FA Broken Logic | Authentication Vulnerabilities | Portswigger
In this lab, the 2FA is vulnerable to a flawed logic.
To solve the lab, we will begin by accessing the lab and login to our account with the credentials below and then try login in to our victims ‘carlos’ account:
username: wiener
password: peter
Using Burp
Lets start by firing up burp and intercept the request with burp proxy. Enter the 2FA code sent to the email client and send this request to burp repeater and make observations.
Change the verify value from peter to carlos and send the request, this should generate a code for carlos then log out from the account.
Try to log in once more and but this time enter a fake 2fa code to the entry then send this request to burp intruder: (please note that due to the slow nature of the burpsuite community edition, i will be using Turbo intruder to solve this task)
Crunch
The 2FA has 4 digits and so to generate these codes from 0–9 *10000 times. we will be using crunch to achieve this.
$crunch 4 4 0123456789 -o 2FA.txt
Take note of the the path where the 2FA.txt file was saved.
Turbo Intruder
Once the /login2 request with the fake 2FA is send to burp, we will send it to the Turbo intruder and start with our brute force.
Select the script to use and set the 2FA.txt path location as shown below.
Once everything is set start the attack and look for a 302 and send the request to the browser and Congratulations you just solved the lab.