2FA simple bypass
Lab description

Walkthrough
Step 1: Login to your account
Use the given credentials wiener:peter
to log in. Once you enter the correct username and password, the application redirects you to a page asking for a 2FA code.


Step 2: Bypass the 2FA mechanism
After entering the correct One-Time Password (OTP) for the wiener
account, you gain full access to your account. However, our goal is to bypass the 2FA for the victim's account (carlos:montoya
).


Step 3: Exploit the 2FA bypass vulnerability
Log in using the victim's credentials carlos:montoya
. Instead of entering the OTP, manually navigate to the /my-account
page by modifying the URL in your browser. This will bypass the 2FA mechanism.
For example:
Replace the 2FA page URL (
/login2
) with/my-account
.
Step 4: Verify the exploit
After modifying the URL, you are successfully logged into Carlos's account without needing to provide the OTP. This confirms the 2FA bypass vulnerability.

Last updated
Was this helpful?