search

3. MFA Multi Factor Authentication Attacks

It is very important to look at edge cases that software developers might have overlooked.

Based on Auth 0x02 challenge we can see a case in which the same MFA applies to all users.

Steps to check for this particular case:

  • First we look at the behavior of the website with the credentials we are provided for testing

  • Then we see how th MFA works by appearing in the new page

  • Normally the website protects the user field to be edited but a simple HTML protection is not enough in this case as we can either edit the HTML directly from the developer tools of the browser or burp suite

  • We intercept in burp suite the step before we hit submit on the MFA page for jessamy and we change the username to jeremy to see if we can use the same MFA code to get access to the account with the username jeremy.

  • We switch off Intercept and voila we get access to another account with the same MFA code jessamy was provided.

BB Example

  • Register 2 accounts

  • Try the MFA we get for one account on the other account

  • Try in burp to change user/mfa etc.

Previous2. Brute force AttacksNext4. Authentication Challenge Walkthrough