2FA broken logic
Lab Description

Walkthrough
Step 1: Initial Observations
After logging in with the provided credentials
wiener:peter
, we are prompted for a 4-digit OTP (One-Time Password).The 4-digit code is delivered to the email server, which we have access to.

Visiting the email client provided we find that it's a 4 digit code

Step 2: Understanding the Logic Flaw
When analyzing the GET request, it includes a
verify
parameter containing the username.By changing the value of the
verify
parameter tocarlos
, the server generates a verification code for Carlos’s email.

Step 3: Brute Forcing the OTP
Generating Carlos's OTP:
Modify the
verify
parameter tocarlos
and send the request. This generates the OTP for Carlos and sends it to his email.

Sending the POST Request to Burp Intruder:
Highlight the
mfa-code
parameter in the request.Use Burp Suite's Intruder tool to brute force all possible 4-digit OTP combinations (0000–9999).

Filtering Successful Responses:
After running the brute-force attack, filter the responses based on status code 302, which indicates a successful login.

Step 4: Accessing Carlos’s Account
Use the successful OTP code and update the
mfa-code
parameter.Since we don’t have Carlos’s password, we use Burp Suite to send the successful request to the browser session:
Right-click the request > Request in Browser > In Original Session.

Carlos’s account page is successfully accessed despite the 2FA mechanism.

Last updated
Was this helpful?