Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: 2FA simple bypass

APPRENTICE

This lab's two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user's 2FA verification code. To solve the lab, access Carlos's account page.

  • Your credentials: wiener:peter
  • Victim's credentials carlos:montoya
ACCESS THE LAB

Solution

  1. Log in to your own account. Your 2FA verification code will be sent to you by email. Click the Email client button to access your emails.
  2. Go to your account page and make a note of the URL.
  3. Log out of your account.
  4. Log in using the victim's credentials.
  5. When prompted for the verification code, manually change the URL to navigate to /my-account. The lab is solved when the page loads.

Community solutions

Michael Sommer

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find vulnerabilities in your authentication using Burp Suite

Try for free