Mindmap Created By: Harsh Bothra

@harshbothra_
https://harshbothra.tech

1. Try to Iframe the page where the

application allows a user to disable 2FA
Clickjacking on 2FA Disable 1. At 2FA Code Triggering Request, such
as Send OTP functionality, capture the
2. If Iframe is successful, try to perform a Feature Request.
social engineering attack to manipulate 2FA Code Leakage in Response
victim to fall in your trap.
2. See the Response of this request and
analyze if the 2FA Code is leaked.

1. Check Response of the 2FA Request.

While triggering the 2FA Code Request,
2. If you Observe "Success":false
Analyze all the JS Files that are referred in
JS File Analysis the Response to see if any JS file contain
3. Change this to "Success":true and see if Response Manipulation
information that can help bypass 2FA code.
it bypass the 2FA

You can also use Burp Match & Replace

Rules for this. 1. Request 2FA code and capture this
request.

2. Repeat this request for 100-200 times

1. If the Response Status Code is 4XX like
and if there is no limitation set, that's a rate
401, 402, etc.
limit issue.
Status Code Manipulation This involves all sort of issues which comes
2. Change the Response Status Code to under security misconfiguration such as
Lack of Brute-Force Protection lack of rate limit, no brute-force protection, 3. At 2FA Code Verification page, try to
"200 OK" and see if it bypass the 2FA
etc. brute-force for valid 2FA and see if there is
any success.

1. Request a 2FA code and use it. 4. You can also try to initiate, requesting
OTPs at one side and brute-forcing at
2. Now, Re-use the 2FA code and if it is another side. Somewhere the OTP will
used successfully that's an issue. match in middle and may give you a quick
result.
3. Also, try requesting multiple 2FA codes
2FA Code Reusability
and see if previously requested Codes
expire or not when a new code is 2FA Bypass
requested. 1. Assuming that you are able to perform
Techniques email change or password reset for the
victim user or make victim user do it by any
4. Also, try to re-use the previously used
means possible.
code after long time duration say 1 day or Password Reset/Email Change -
more. That will be an potential issue as 1
day is enough duration to crack and guess
2FA Disable 2. 2FA is disabled after the email is
a 6-digit 2FA code. changed or password is reset. This could
be an issue for some organizations.
However, depends on case by case basis.

1. Navigate to 2FA Page and Click on

Disable and capture this request with Burp
Suite & Generate a CSRF PoC 1. Request a 2FA code from Attacker
Account.
Missing 2FA Code Integrity
2. Send this PoC to the victim user and
check if CSRF happens successfully and CSRF on 2FA Disable Feature Validation 2. Use this valid 2FA code in the victim 2FA
removes the 2FA from victim account. Request and see if it bypass the 2FA
Protection.
3. Also check if there is any authentication
confirmation such as password or 2FA code
required before disabling 2FA
1. Directly Navigate to the page which
comes after 2FA or any other authenticated
page of the application.
Direct Request
Apply same techniques used on 2FA such
as Response/Status Code Manipulation, 2. See if this bypasses the 2FA restrictions.
Brute-force, etc. to bypass Backup Codes
Backup Code Abuse
and disable/reset 2FA
1. Directly Navigate to the page which
comes after 2FA or any other authenticated
1. Login to the application in two different page of the application.
browsers and enable 2FA from 1st session. 2FA Refer Check Bypass
2. If there is no success, change the refer
Enabling 2FA Doesn't Expire header to the 2FA page URL. This may fool
2. Use 2nd session and if it is not expired,
it could be an issue if there is an insufficient Previous Session application to pretend as if the request
session expiration issue. In this scenario if came after satisfying 2FA Condition.
an attacker hijacks an active session before
2FA, it is possible to carry out all functions
without a need for 2FA