2FA simple bypass | Dec 21, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you'll learn: 2FA simple bypass! Without further ado, let's dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab's two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user's 2FA verification code. To solve the lab, access Carlos's account page.

• Your credentials: wiener:peter
• Victim's credentials carlos:montoya

Exploitation

Home page:

Login as user wiener:

In here, we're prompted to another login page, which requires a 4 digits security code.

Email client:

Enter 4 digits security code:

Now let's login as user carlos and bypass the 2FA:

In here, since we're already logged in via a valid username and password, we're technically logged in!

Why not just go to /my-account page?

Nice! The application doesn't check we have entered a valid 2FA code or not!

What we've learned:

1. 2FA simple bypass