avatarGraham Zemel

Summary

The article provides a detailed walkthrough on exploiting vulnerabilities in Multi-Factor Authentication (MFA) implementations using tools like Burpsuite.

Abstract

The article titled "P1 Bug Bounties: Multi-Factor Authentication Bypass" offers a comprehensive guide on how to bypass MFA security measures, which are increasingly used to protect online accounts. It explains the different factors of authentication, including knowledge, possession, and inherence factors, and the importance of MFA in enhancing account security. The author delves into common vulnerabilities in MFA systems, such as HTTP response body manipulation, status code manipulation, forceful browsing, lack of brute force protection, and source code leakage. The article includes step-by-step instructions on exploiting these vulnerabilities, demonstrating how attackers can intercept and modify responses to gain unauthorized access. The author emphasizes the significance of understanding the underlying mechanisms of MFA and the potential weaknesses that can be exploited, while also suggesting best practices for remediation, such as implementing rate-limiting and extending the length of OTP codes.

Opinions

  • The author believes that understanding the mechanics behind MFA is crucial for both security professionals and potential attackers.
  • There is an opinion that many websites do not implement MFA correctly, leaving them vulnerable to exploitation.
  • The article suggests that despite the increased security offered by MFA, it is not foolproof and can be bypassed if not properly configured.
  • The author implies that tools like Burpsuite are powerful assets for security researchers and hackers alike in identifying and exploiting MFA vulnerabilities.
  • There is a recommendation to increase the complexity of MFA, such as using 8-digit OTP codes and ensuring robust brute-force protection, to enhance security.
  • The author encourages readers to engage with the content, offering additional resources for those interested in learning more about computer science and hacking.

P1 Bug Bounties: Multi-Factor Authentication Bypass

TL;DR-A walkthrough on how to exploit multi-factor authentication, using Burpsuite and a few other automation tools.

Photo by Ed Hardie on Unsplash

Multi-Factor Authentication is getting to be more and more prevalent in every day websites. It provides a more secure account access policy, and can reduce your chances of being hacked, specifically, bruteforced.

It’s also referred to as 2FA sometimes, which is 2 different methods of authentication (ex. email/password, AND sms code). MFA is multiple factors, and includes 2FA and higher. 3FA adds biometrics like fingerprints or face ID to the previous iteration’s factors.

Some sites don’t implement this properly though, without using best practice. This might make it vulnerable to hackers, and in this article I’ll do a full walkthrough on exploiting one of these vulnerabilities. If you’d like to see the walkthrough and skip past learning how everything works (not recommended), scroll down to ‘Methods of Bypass’.

How it works →

The three factors that can be used for 2FA are the following:

Knowledge Factor →

This is something you know. It can’t be physically lost or found, but it can be copied — like a password or PIN code.

Possession Factor →

This is something you have that can’t be easily copied, but can be stolen — like an ID, or bank card.

Inherence (Biometrics) Factor →

This is something you are, which can’t be easily faked — like a fingerprint or face ID.

2FA requires two of these three factors. MFA may use all three — or IP geolocation services to confirm your location.

This prevents hackers from getting into your account if they have both your username and password, but not the required additional factor. There’s two main types of MFA communication:

  1. Using a text message, or email

Most web apps will use public APIs to send SMS messages, but have their own code for the generation and verification of the code. Remember, repetition is one of the fundamental concepts that allows for hacking.

If you have different/complicated passwords (ex. ‘C0mPl!c4t3d’) on different accounts, you’ll be more secure against bruteforcing attacks than someone with an eight character lowercase password (ex. ‘hello123’) that they use for every account.

If each of the sites that use MFA have different code for creating and verifying the user-supplied code, it may take a bit more time to exploit a specific login page.

2. Using a third party authentication app (Google Authenticator, Authy)

These can be sent by directly from the web app’s login function, as most popular MFA third party apps will be able to integrate well into the authentication mechanism.

It’s important to recognize that this method does require the client device to have internet access in some way, due to the requirement of synchronization across all cloud, client, and web app interfaces.

Step-by-step →

1. App Authentication

2. Login (username/password)

3. OTP generation

4. OTP delivery

OTP, or (One Time Password), will generate authentication tokens on demand.

There are 3 types of tokens sent to the client that will determine the authentication mechanism code. Those token types include

Event-Based Token (HOTP):

Generates a token based on a combination of random values, offset with a dynamic value like a counter so that it can’t be predicted. These tokens may be valid for a limited amount of time, or they could be valid indefinitely.

Time-Based Token (TOTP):

The OTP system generates a new token at timely intervals, and also uses a dynamic parameter such as a counter to offset the token value. It’s a division of HOTP, and uses a time-based parameter as well, such as the current time of day. Usually valid for 30 or 60 seconds.

Challenge-Based Token (OCRA):

Upon each new user login, the authentication server provides a unique challenge key, and then this is passed as a parameter into the token generation. Usually valid for a few minutes, instead of 30 seconds like the others.

Methods Of Bypass:

What everyone’s been waiting for. Now that you understand more about what’s behind the actual application, you’re ready to find vulnerabilities and exploit the code.

- HTTP Response Body Manipulation

This is a very common vulnerability in MFA, and occurs whenever a website fails to validate a response. Websites will check whether or not the MFA code is valid, and if it is, return {“success”:true}. If it isn’t, return {“success”:false}.

However, the application only checks to proceed if {“success”:true}, which allows us to modify responses and send them back. In this scenario, an attacker can intercept the response and change the boolean “success” from false to true and bypass MFA.

Invalid OTP Request (pay attention to the OTP info at the bottom):

POST /login-otp
HOST: target.com
<EXAMPLE HEADERS:
GET /login-otp HTTP/1.1
Host: website.com
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: script
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close>
{"otp":82693}

Original Response (Accessed using the Proxy tab, ‘Intercept’, ‘Action’, ‘Do intercept’, ‘Response to this request’, forward request and you’ll see the ‘post’ response):

Basically:

200 OK
<Returns Headers/Browser Info>
{"success":false}

We’ll use Burpsuite to modify our response→

Modified Response (with same wrong OTP, but manually changed parameters):

200 OK
<redacted>
{"success":true}

If the application successfully logs in, it implies that the bypass was successful.

- HTTP Response Status Code Manipulation

If there is a status code, such as

403 Forbidden

Change it in the response to

200 OK

This method may also bypass MFA.

- Forceful Browsing

This is when you essentially force your way onto a specific site path, bypassing the actual authentication.

INTENDED workflow →

  1. The user navigates to website.com/login.php and enters the login credentials.
  2. The application redirects the user to the website.com/login-otp.php page and asks to provide OTP.
  3. Now, when the user provides a valid OTP, the user is redirected to the website.com/profile.php page and can access other parts of the application as well.

EXPLOITED workflow →

  1. The user navigates to website.com/login.php and enters the login credentials.
  2. The application redirects the user to the website.com/login-otp.php page and asks to provide OTP.
  3. Utilizing a tool such as Burpsuite, instead of giving some random OTP on the website.com/login-otp.php site, the user redirects themselves to website.com/profile.php

This forces the webpage after the login credentials are validated, and then forces the profile webpage even if the MFA was not completed.

- Lack of Brute Force Protection

If there isn’t a rate-limit or some sort of protection on the MFA page, 4 to 6 digit codes are trivial to bypass. 10,000 combinations for 4 digit codes are nothing to a computer brute force program. One’s even included in Burpsuite called ‘Intruder’.

100,000 combinations for 6 digits with TOTP increases the time to about 3 days depending on a few factors like level of security and speed of devices. In this case, I’d recommend a Meet-ITM (not Man-In-The-Middle) attack.

This is where the hacker will run parallel OTP requests, while running the brute-force attack. The OTP will (eventually) match for an instance and bypass the restriction.

- Source Code Leakage

You might find that the request leaks odd information or possibly useful information. There may even be unusual changes in the actual webpage itself. Investigate this, as it may lead to finding useful source code that can be further hacked and exploited.

I highly suggest learning how to read and analyze web requests, Javascript code, and learning library names and their current versions.

Obviously there’s plenty of remediations like keeping the OTP codes on a time limit, increasing the length to 8 digits, and ensuring that brute-force protection and rate-limiting are implemented well.

I hope you learned something from this post, and if you want to see more like it, give a few claps. For more on computer science and hacking, check out The Gray Area. If you’d like to support me and access all of my posts (and all of every other Medium writer’s), become a member using my referral link →

Thanks!

Bug Bounty
2fa
Hacking
Cybersecurity
Authentication
Recommended from ReadMedium
avatarSharat Kaikolamthuruthil
2FA Bypass via OAuth Linking

Hola Amigos,

2 min read
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarRudrakshacker
How I found My first P1 Bug which ended up ….$?

Hello readers :) Let me introduce Myself. I am a noob script kiddie. Trying my luck at Bug Bounty :) I also played CTFs for almost 3 years…

3 min read
avatarMohamed AboElKheir
Lessons Learned #1: One line of code can make your application vulnerable (Pre-Auth RCE in Metabase…

Welcome all to this new series “Lessons Learned”. In this series, I plan to share some real-world vulnerabilities from the eyes of an…

4 min read
avatarPractical OSINT
8 FREE Tools for Phone Number Investigation

These tools work globally, allowing you to investigate any international phone number.

5 min read
avatar1day
How I Hacked Into a Nationwide University Database System Exposing Thousands of Student Records

INTRODUCTION

7 min read