Member-only story
Introduction
Burp has various tools to help make our testing better and faster. In the following scenario we will be using a couple of tools in conjunction with one another to maximize our potential for finding bugs fast.
2FA broken logic
This time it appears we are testing on a blog. Here’s what we know:
- Your credentials:
wiener:peter - Victim’s username:
carlos
You also have access to the email server to receive your 2FA verification code. (See the email client button)
Let’s start by clicking around as we usually do and exploring the application. We should login and as we try this, we notice we need to enter our 2FA code. Let’s investigate this flow further.
It seems the most interesting call of this process is a POST to /login2.php where we enter our mfa-code which seems to be our multi factor authentication code. Also notice there is a cookie ‘verify’ to determine who’s MFA code is being checked.
Let’s log out of the account and send the POST request to the intruder. Since we can declare who’s 2FA code we are checking we might be able to change that username and brute force the 2FA code since it’s only a 4 digit code.
We need to make sure a code is being generated first. To trigger this process we need to send the GET request to /login2.php to the repeater and change that verify parameter to our victim’s login.
We will login again and intercept the requests. the first call will go to /login.php, let that one go through to start the 2FA process. as a second call we will send a call to /login2.php, this is to activate the 2FA process.
