2FA broken logic

Lab Description

Walkthrough

Step 1: Initial Observations

• After logging in with the provided credentials wiener:peter, we are prompted for a 4-digit OTP (One-Time Password).

• The 4-digit code is delivered to the email server, which we have access to.

Visiting the email client provided we find that it's a 4 digit code

Step 2: Understanding the Logic Flaw

• When analyzing the GET request, it includes a verify parameter containing the username.

• By changing the value of the verify parameter to carlos, the server generates a verification code for Carlos’s email.

Step 3: Brute Forcing the OTP

1. Generating Carlos's OTP:

   • Modify the verify parameter to carlos and send the request. This generates the OTP for Carlos and sends it to his email.

Sending the POST Request to Burp Intruder:

• Highlight the mfa-code parameter in the request.

• Use Burp Suite's Intruder tool to brute force all possible 4-digit OTP combinations (0000–9999).

Filtering Successful Responses:

• After running the brute-force attack, filter the responses based on status code 302, which indicates a successful login.

Step 4: Accessing Carlos’s Account

• Use the successful OTP code and update the mfa-code parameter.

• Since we don’t have Carlos’s password, we use Burp Suite to send the successful request to the browser session:

  • Right-click the request > Request in Browser > In Original Session.

Carlos’s account page is successfully accessed despite the 2FA mechanism.