2FA/MFA/OTP Bypass
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! π
Follow us on:
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
Exploiting 2FA, MFA, and OTP bypasses can be complex, as it depends on the specific security measures of the target system. Below, weβll break down the steps for various techniques, written for beginners to understand. Weβll also include an unexpected detail: some systems allow attackers to generate OTPs themselves if the construction is flawed, which isnβt always obvious.
What to Do: Try accessing the endpoint after 2FA directly, like skipping to a protected page.
Use cURL or Postman to send a request directly to endpoints after login but before MFA completion.
If you can access the dashboard without completing MFA, the application is vulnerable.
Use old tokens again if the system doesnβt invalidate them.
Capture a valid MFA token using Burp Suite or a proxy tool.
Log in and complete MFA once while monitoring the request.
Save the token sent to the server (e.g., X-MFA-Token: 123456).
Log out and try logging in again, but instead of entering a new token, replay the old one.
If the system allows it, MFA is bypassed!
Use tokens that werenβt used yet.
Request multiple MFA codes but do not use them all.
Save an unused token (e.g., if three codes are generated, keep the last one).
Try logging in later using the saved token.
If the system accepts it, MFA is bypassed!
Look for tokens in responses.
Use a proxy (Burp Suite, mitmproxy) to intercept requests.
Look for API responses containing sensitive information.
Find and extract the MFA token.
Use the token to bypass the verification step.
A response from an API may contain:
An attacker can reuse this token for MFA verification.
JavaScript Exposure Example:
Check for exposed tokens in Developer Tools (F12 β Console):
If the MFA token is stored in local storage, an attacker can extract and reuse it.
Use email links from account creation to access without 2FA.
Create a new account and capture the verification link sent to your email.
Log out before completing the MFA setup.
Use the verification link in an incognito/private browser session.
Check if the account gets verified and logs in without MFA.
A verification email contains:
If clicking this link logs you in directly without requiring MFA, then MFA enforcement is weak.
Use your sessionβs 2FA state to access another account.
Log in to two different accounts in the same browser.
Complete MFA for one account.
Switch to the other account (via cookie or session manipulation).
Check if MFA is skipped when switching accounts.
Example Attack:
Open Account A (without MFA completed).
Open Account B in another tab and complete MFA.
Switch back to Account A and check if you now have access without completing MFA.
Reset the password and see if 2FA is bypassed.
Request a password reset for an account that has MFA enabled.
Reset the password using the provided link.
Log in with the new password and check if the system asks for MFA.
If it does not require MFA, then the system is vulnerable.
Example Attack:
A password reset email contains:
After resetting the password, if the attacker logs in and MFA is not required, they have bypassed it.
Hack into linked accounts like Google to bypass 2FA.
Some applications allow users to log in via OAuth (Google, Facebook, Microsoft, etc.) instead of requiring MFA. If an attacker compromises a linked account, they can bypass MFA entirely.
Steps to Exploit:
Find an account that allows login via a trusted platform (e.g., βSign in with Googleβ).
Compromise the Google/Facebook/Microsoft account via phishing, leaked credentials, or session hijacking.
Use the compromised account to log in to the target service.
Check if MFA is skipped due to trusted platform authentication.
Try codes repeatedly, especially if no rate limits exist.
Identify an MFA field that does not lock out users after multiple failed attempts.
Automate guessing with tools like Burp Intruder, Hydra, or custom scripts.
If the system allows resending codes, request a new code repeatedly to reset limits.
Use slow brute-force attacks (e.g., trying one code per minute to evade detection).
Example Brute Force Script (Python)
Exploit timing issues in the system.
Identify an action that requires MFA (e.g., login or enabling 2FA).
Open two or more requests in parallel (e.g., in Burp Suiteβs Turbo Intruder).
Send one request to verify MFA and another to access the system before MFA is fully processed.
If the system fails to enforce MFA correctly, access is granted without full verification.
Example Attack Scenario:
One request verifies MFA (/verify_mfa).
Another request tries accessing a protected page (/dashboard).
If the second request bypasses MFA, the system has a race condition.
Trick users into disabling 2FA.
Find the request that disables MFA (e.g., POST /disable_mfa).
Craft a malicious link that submits this request when clicked.
Trick the target user into clicking the link while logged in.
If successful, the targetβs MFA is disabled without their consent.
Example CSRF Exploit (HTML Page):
If the user is logged in and clicks the button, their MFA is disabled.
Guess cookies or fake IP addresses.
Analyze the authentication cookies after enabling βRemember Me.β
Check if the cookie contains predictable or unencrypted tokens.
Try reusing the cookie from another device to bypass MFA.
If the system uses IP-based trust, spoof the IP using the X-Forwarded-For header.
Example Exploit (Setting X-Forwarded-For Header in Curl):
Many systems have legacy components or backup mechanisms that introduce MFA weaknesses. Attackers can exploit older versions, backup codes, and previous sessions to bypass MFA entirely.
Check subdomains or APIs for outdated, vulnerable setups.
Find outdated versions by scanning subdomains and API endpoints.
Use tools like Subfinder, Amass, or Wayback Machine to locate old versions.
Example: legacy.target.com, api.v1.target.com/login.
Check if MFA is missing or has known security flaws.
Attempt login via the old version to bypass MFA enforcement.
Example Subdomain Scan (Using Subfinder & Nmap):
If an older version exists, try logging in without MFA.
Steal or generate backup codes if access controls are weak.
Look for security misconfigurations that expose backup codes:
CORS misconfigurations: Check if an attacker-controlled website can read API responses.
XSS vulnerabilities: Inject JavaScript to steal codes.
Unprotected API endpoints: Check /user/backup_codes or similar.
Extract backup codes using one of the found vulnerabilities.
Use the stolen codes to authenticate and bypass MFA.
Example XSS Payload to Steal Backup Codes:
If successful, the attacker now has valid MFA bypass codes.
Use old sessions if not terminated after 2FA setup.
Log in before MFA is enabled.
Save session cookies or authentication tokens.
Ask the user to enable MFA or wait for them to do it.
Reuse the old session to access the account without completing MFA.
Example: Stealing Session Tokens with JavaScript
If a valid session cookie exists, the attacker can reuse it to bypass MFA.
Look for sensitive data on 2FA pages.
Visit the 2FA page and inspect the page source or network requests.
Look for email addresses, phone numbers, security questions, or partial OTPs.
Use this leaked data to phish the user, brute-force the OTP, or reset the password.
Example: Finding Leaked Data in Network Requests (Using Burp Suite)
Enable Burp Proxy and navigate to the 2FA page.
Look for server responses containing hints like:
Your OTP starts with 123***
Your registered email: user@example.com
Last four digits of your phone: 5678
Use this data to guess OTPs, reset passwords, or craft social engineering attacks.
Reset password after 2FA setup and check access.
Initiate a password reset for the target account.
Change the password using the reset link.
Log in with the new password and check if the system prompts for 2FA.
If MFA is not required after the reset, access is granted without it.
Example Attack Workflow:
Attacker requests a password reset for victim@example.com.
If they have access to the victimβs email, reset the password.
Log in using the new password and check if MFA is enforced.
If the system skips MFA, access is fully compromised.
Send fake requests to hide brute force attempts.
Identify the MFA endpoint used for OTP verification.
Automate attack requests while sending normal traffic (e.g., logins, page views).
If successful, the brute-force attack remains undetected by security mechanisms.
Example Decoy Attack Using Burp Intruder:
Set up an attack in Burp Suiteβs Intruder.
Use payload lists that mix:
Real login requests (to appear as a normal user).
Brute force attempts (to guess the OTP).
Monitor responses to detect valid OTPs.
Generate OTPs yourself if based on known data.
Analyze how OTPs are generated (e.g., timestamps, user ID, sequential numbers).
Look for patterns by requesting multiple OTPs in a short period.
Recreate the OTP generation logic to predict future OTPs.
Example: Predicting OTPs Based on Timestamps
If the OTP format is YYYYMMDDHHMM + UserID, an attacker can reconstruct it.
Generate the OTP using a simple Python script:
If the system does not randomize OTPs, an attacker can generate valid OTPs without interception.
Learn & practice
Become VeryLazyTech ! π
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π