You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Account Takeover/mfa-bypass.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,17 +25,17 @@
25
25
26
26
### Response Manipulation
27
27
28
-
In response if`"success":false`
28
+
If response is`"success":false`
29
29
Change it to `"success":true`
30
30
31
31
### Status Code Manipulation
32
32
33
33
If Status Code is **4xx**
34
-
Try to change it to **200 OK** and see if it bypass restrictions
34
+
Try changing it to **200 OK** and see if it bypass restrictions
35
35
36
36
### 2FA Code Leakage in Response
37
37
38
-
Check the response of the 2FA Code Triggering Request to see if the code is leaked.
38
+
Check the response of the 2FA Code Triggering Request for leaked code.
39
39
40
40
### JS File Analysis
41
41
@@ -51,7 +51,7 @@ Possible to brute-force any length 2FA Code
51
51
52
52
### Missing 2FA Code Integrity Validation
53
53
54
-
Code for any user acc can be used to bypass the 2FA
54
+
Code for any user account can be used to bypass the 2FA
55
55
56
56
### CSRF on 2FA Disabling
57
57
@@ -64,19 +64,19 @@ No CSRF Protection on disabling 2FA, also there is no auth confirmation
64
64
### Backup Code Abuse
65
65
66
66
Bypassing 2FA by abusing the Backup code feature
67
-
Use the abovementioned techniques to bypass Backup Code to remove/reset 2FA restrictions
67
+
Use the above-mentioned techniques to bypass the Backup Code to remove/reset 2FA restrictions
68
68
69
69
### Clickjacking on 2FA Disabling Page
70
70
71
71
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
72
72
73
73
### Enabling 2FA doesn't expire Previously active Sessions
74
74
75
-
If the session is already hijacked and there is a session timeout vuln
75
+
If the session is already hijacked and there is a session timeout vulnerability
76
76
77
77
### Bypass 2FA by Force Browsing
78
78
79
-
If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.
79
+
If the application redirects to `/my-account` url upon login while 2FA is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.
0 commit comments