1: What is Multi-Factor Authentication?.......................................................................................

2
2: MFA Bypass Techniques ............................................................................................................... 3
Technique 1: Clickjacking on MFA/2FA Disable Functionality ........................................ 3
Technique 2: 2FA Code Leakage in Response .................................................................... 3
Technique 3: Response Manipulation ................................................................................ 3
Technique 4: JS File Analysis ............................................................................................... 3
Technique 5: Status Code Manipulation ............................................................................ 4
Technique 6: Lack of Brute-Force Protection .................................................................... 4
Technique 7: 2FA Code Reusability .................................................................................... 4
Technique 8: Password Reset/Email Change –2FA Disable .............................................. 4
Technique 9: CSRF on 2FA Disable Feature........................................................................ 5
Technique 10: Missing 2FA Code Integrity Validation ..................................................... 5
Technique 11: Backup Code Abuse ..................................................................................... 5
Technique 12: Direct Request ............................................................................................. 5
Technique 13: Enabling 2FA Doesn't Expire Previous Session ......................................... 6
Technique 14: 2FA Refer Check Bypass .............................................................................. 6

www.buffclue.com
1: What is Multi-Factor Authentication?

Multi-factor authentication (MFA) is a security process that requires users to provide two or
more forms of identification before they can access an account or system. It adds an extra
layer of protection beyond just a username and password, making it significantly more difficult
for unauthorized users to gain access.

Typically, MFA involves the following factors:

1: Something You Know

This is usually a password or a PIN that only the user should know. It's the traditional
authentication method used in most systems.

2: Something You Have

This could be a physical device, such as a smartphone, a smart card, or a hardware token, which
generates a one-time code or a digital certificate.

3: Something you are

This refers to biometric factors such as fingerprint scans, facial recognition, or iris scans.
Biometric authentication adds an additional layer of security by verifying unique physical
characteristics.

By combining two or more of these factors, MFA significantly enhances security compared to
relying solely on passwords, which can be vulnerable to various threats like phishing, brute-
force attacks, or credential theft.

Can we Bypass the Multi-Factor Authentication?

Yes, we can Bypass 2FA in many ways.

www.buffclue.com
2: MFA Bypass Techniques

Technique 1: Clickjacking on MFA/2FA Disable Functionality

• Embed the Page: Put the page where users can turn off Multi-Factor Authentication
(MFA) or Two-Factor Authentication (2FA) into an iframe.

• Trick the User: If you successfully embed the page, try to trick the user into turning
off these security features using a social engineering trick.

Technique 2: 2FA Code Leakage in Response

• Capture the Request: When a request is made to trigger the Two-Factor

Authentication (2FA) code, like sending an OTP (One-Time Password), intercept and
record this request.

• Analyze the Response: Check the response to this request to see if the 2FA code is
exposed or leaked in any way.

Technique 3: Response Manipulation

• Inspect the response: Look at the response received after sending the Two-Factor
Authentication (2FA) request.
• Check for "Success":false: See if the response indicates that the 2FA request was not
successful.
• Modify "Success" status: Change the "Success" status from false to true in the
response to see if it allows bypassing the 2FA. This can be done manually or by using
Burp Match & Replace Rules to automate the process.

Technique 4: JS File Analysis

• Trigger the 2FA code request: When you're trying to get the Two-Factor
Authentication (2FA) code, start the process.
• Look at the JavaScript (JS) files: Check all the JS files mentioned in the response you
get back.
• Search for bypass clues: See if any of these JS files have information that might help
you bypass the 2FA code.

www.buffclue.com
Technique 5: Status Code Manipulation

• Check the Response Status Code: Look at the status code in the response, such as
401 or 402, which are in the 4XX range.
• Modify the Status Code: If it's a 4XX code, change it to "200 OK" and see if this action
allows you to bypass the Two-Factor Authentication (2FA).

Technique 6: Lack of Brute-Force Protection

• Request 2FA code and record it: Start by asking for the Two-Factor Authentication
(2FA) code and keep track of this request.
• Repeat the request multiple times: Try sending the same request 100-200 times. If
there's no limit stopping you, it indicates a problem with rate limits.
• Test 2FA code validity: When you reach the page where you need to enter the 2FA
code, try different combinations to see if you can guess a valid code. This is called
brute-forcing.
• Explore simultaneous actions: Experiment by simultaneously requesting OTPs on one
side and attempting brute-force on the other. Eventually, you might find a match in
the middle, providing a quick result.

Technique 7: 2FA Code Reusability

• Request and use a 2FA code: Start by asking for a Two-Factor Authentication (2FA)
code and use it for authentication.
• Attempt to reuse the same 2FA code: Try using the same 2FA code again. If it works
a second time, there's a problem.
• Test code expiration: Request multiple 2FA codes and observe if previously requested
codes become invalid when a new code is requested.
• Test code reuse after a long time: Try reusing a previously used code after a
considerable duration, like a day or more. If it still works, it's a potential issue since it
suggests the code is susceptible to being guessed or cracked within that timeframe.

Technique 8: Password Reset/Email Change –2FA Disable

• Perform email change or password reset: Imagine you can change the email address
associated with the victim's account or reset their password, either by your actions or
by convincing the victim to do it.
• 2FA is turned off after email or password change: After the email is changed or the
password is reset, the Two-Factor Authentication (2FA) is automatically disabled. While
this might not be a problem for all organizations, it could pose an issue depending on
the specific circumstances of each case.

www.buffclue.com
Technique 9: CSRF on 2FA Disable Feature

• Go to the 2FA settings page and select "Disable": Access the Two-Factor
Authentication (2FA) settings page and choose the option to disable it. Use Burp Suite
to capture this action and create a CSRF (Cross-Site Request Forgery) Proof of Concept
(PoC).
• Send the PoC to the victim: Share the CSRF PoC with the victim user and verify if the
CSRF successfully triggers, leading to the removal of 2FA from their account.

Technique 10: Missing 2FA Code Integrity Validation

• Get a 2FA code from the Attacker Account: Start by obtaining a valid Two-Factor
Authentication (2FA) code from the Attacker Account.
• Try using this code in the victim's 2FA request: Attempt to use the obtained 2FA
code in the victim's 2FA request to check if it successfully bypasses the 2FA protection.

Technique 11: Backup Code Abuse

• Apply the same methods used for Two-Factor Authentication (2FA) like manipulating
response/status codes and brute-forcing to bypass Backup Codes and deactivate/reset
2FA.

Technique 12: Direct Request

• Skip directly to the page that comes after Two-Factor Authentication (2FA) or any other
authenticated page of the application.
• Check if this bypasses the 2FA restrictions and grants access without requiring
additional authentication steps.

www.buffclue.com
Technique 13: Enabling 2FA Doesn't Expire Previous Session

• Sign in with two browsers: Log in to the application using two different web browsers.
Activate Two-Factor Authentication (2FA) during the first session.
• Check the second session: If the second session is still active and hasn't expired, it
might indicate a problem with session expiration. In this case, if an attacker takes
control of an active session before reaching the 2FA step, they could perform all
functions without needing to complete 2FA.

Technique 14: 2FA Refer Check Bypass

• Skip directly to the post-2FA page: Navigate directly to the page that comes after
completing Two-Factor Authentication (2FA) or any other authenticated page within
the application.
• Attempt to bypass: If direct navigation doesn't succeed, alter the referer header to
match the URL of the 2FA page. This trick might deceive the application into thinking
that the request followed successful completion of 2FA.

www.buffclue.com
www.buffclue.com
www.buffclue.com