PortSwigger: 2FA Bypass Using A Brute-Force Attack (Updated 2023)

PortSwigger Web Security Academy: 2FA Bypass using a brute-force attack

Welcome Everyone. This is the updated write-up for the 2FA Bypass Expert Level. Since the lab has been modified, all of the techniques stated in earlier write-ups will no longer work. However, I discovered a new way to solve this lab, which I will provide in this article.

What Has Changed?

Previously, even after re-logging in, the generated 2FA Code did not expire. The Code, on the other hand, now changes with each login, with the previous code expiring. It’s like attempting to capture a moving truck!

How to Solve the Lab?

Using random four-digit numbers for each request reduces the likelihood of receiving the correct code. Consider the following:-

For Request 1 → Correct Code: 0141, Our Code: 0140
For Request 2 → Correct Code: 0140, Our Code: 0141

The correct code is clearly larger than our code. If you are utilising an incremental code, your chances of obtaining a valid code are virtually null. To solve this issue, we must increase the likelihood of obtaining a correct code. What if we enter the same code a thousand times? In one of those requests, the 2FA Code generated will be the correct one, and we will likely be successful.

We are gonna be using Macros to solve this Lab. If you want to know what & how to use a Macro, I Suggest Watching this Video

Solution

Step 1: Fire-Up Burp Suite

Make sure that all of your Lab Server requests are being caught by Burp Suite.

Step 2: Login with the Given Username & Password

Step 3: Go to Settings → Sessions → Add Macros

Select these 3 Requests & Configure Them

1. GET /login
2. POST /login
3. GET /login2

Hit “OK” After Selecting them

Selected Requests

• Select GET /login → Configure Items

Select the value of the CSRF Token

GET /login

• Select POST /login → Configure Items

Ensure that the CSRF Value is Derived from the Previous Request (GET /login)

• Select GET /login2 → Configure Items

Do the same thing you did in GET /login

Continue selecting “OK” until you return to the Sessions Tab

Step 4: Select Session Handling Rules → Add

• In Rule Actions, Select Run a Macro
• In the Scope Section, Include All URLs

• In the Session Handling Action Editor, Select the Macro we created

All the settings have been configured, now it’s time to Exploit!

Step 5: Exploitation

• Intercept the POST /login2 Request (Enter a Random 2FA Code) & Send it to the Intruder
• Select the mfa-code as our Payload Position with Attack Type: Sniper

POST /login2

• As previously stated, instead of choosing random/incremental numbers, we will choose only one code and request it 10,000 times.
• I examined previous 2FA Authentication labs to see what types of codes were generated.

Email Client from 2FA Simple Bypass Lab

• As you can see, the code starts with 0 followed by random numbers.
• What we can do then is pick any random number beginning with 0. I’ve done a 10,000-times-repetition here of the number 0993.

• Go to Resource Pool & Select Maximum Concurrent Requests=1
• Start the Attack, Eventually you will find a 302 Response.

302 Status for Request No.2066

• Right Click on the Request → Show response in browser
• And Voilà!

Lab Solved!