Lab: 2FA broken logic

PRACTITIONER

This lab's two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos's account page.

Your credentials: wiener:peter
Victim's username: carlos

You also have access to the email server to receive your 2FA verification code.

Hint

Carlos will not attempt to log in to the website himself.

Access the lab

Solution

With Burp running, log in to your own account and investigate the 2FA verification process. Notice that in the POST /login2 request, the verify parameter is used to determine which user's account is being accessed.
Log out of your account.
Send the GET /login2 request to Burp Repeater. Change the value of the verify parameter to carlos and send the request. This ensures that a temporary 2FA code is generated for Carlos.
Go to the login page and enter your username and password. Then, submit an invalid 2FA code.
Send the POST /login2 request to Burp Intruder.
In Burp Intruder, set the verify parameter to carlos and add a payload position to the mfa-code parameter. Brute-force the verification code.
Load the 302 response in the browser.
Click My account to solve the lab.

Community solutions

Michael Sommer

Want to track your progress and have a more personalized learning experience? (It's free!)

Sign up Login

In this topic

Authentication vulnerabilities Password-based login Multi-factor authentication Other authentication mechanisms How to secure your authentication mechanisms

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

Practise exploiting vulnerabilities on realistic targets.
Record your progression from Apprentice to Expert.
See where you rank in our Hall of Fame.

Already got an account? Login here