Lab: 2FA broken logic
This lab's two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos's "My account" page.
You also have access to the email server to receive your 2FA verification code.
Carlos will not attempt to log in to the website himself.
With Burp running, log in to your own account and investigate the 2FA verification process. Notice that in the
POST /login2request, the
verifyparameter is used to determine which user's account is being accessed.
- Log out of your account.
GET /login2request to Burp Repeater. Change the value of the
carlosand send the request. This ensures that a temporary 2FA code is generated for Carlos.
- Go to the login page and enter your username and password. Then, submit an invalid 2FA code.
POST /login2request to Burp Intruder.
In Burp Intruder, set the
carlosand add a payload position to the
mfa-codeparameter. Brute-force the verification code.
- Load the 302 response in your browser.
- Click "My account" to solve the lab.