1. Web Security Academy
  2. Authentication
  3. Multi-factor
  4. Lab

Lab: 2FA bypass using a brute-force attack


This lab's two-factor authentication is vulnerable to brute-forcing. You have already obtained a valid username and password, but do not have access to the user's 2FA verification code. To solve the lab, brute-force the 2FA code and access Carlos's "My account" page.

Victim's credentials: carlos:montoya

Tip: You will need to use Burp macros in conjunction with Burp Intruder to solve this lab. For more information about macros, please refer to the Burp Suite documentation. Users proficient in Python might prefer to use the Turbo Intruder extension, which is available from the BApp store.