1. Web Security Academy
  2. Authentication vulnerabilities
  3. Multi-factor
  4. Lab

Lab: 2FA broken logic


This lab's two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos's account page.

  • Your credentials: wiener:peter
  • Victim's username: carlos

You also have access to the email server to receive your 2FA verification code.

Find vulnerabilities in your authentication using Burp Suite

The benefits of working through PortSwigger's Web Security Academy

Get started with the Web Security Academy where you can practise exploiting vulnerabilities on realistic targets .. and its free!

Already got an account? Login here