Skip to main content

🗂️PortSwigger Lab Writeup: 2FA Simple Bypass

PortSwigger lab banner: 2FA simple bypass by URL manipulation

🎯 Objective

The objective of this lab is to exploit an multi-factor authentication weakness where the app incorrectly implements multi-factor authentication which can be bypassed just by changing the URL. The goal is to bypass the carlos and log in to the account.

  • Lab URL: https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass
  • Category: Authentication
  • Difficulty: Apprentice

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Lab homepage screenshot showing site layout
    Login page screenshot for the vulnerable application
  • At first glance, the website seems to be a blogging website with a login page. In the lab description, it is mentioned that we need to bruteforce the password of user - carlos and log in to account.

📝Step 2: Log in as wiener

  • Now we will first observe how multi-factor authentication works by logging in as wiener for which we have access to mails.
  • Enter the credentials wiener:peter in login page and send the request. Login attempt for user wiener (wiener) captured in Burp
  • Now, we are being redirected to /login2 page for entering OTP sent on mail.
  • Open the Email client, to access the wiener mails and retrieve the OTP. Email client view showing OTP sent to wiener
  • Enter the OTP - 1857 on 2FA page to complete the login.
  • After login completion, we are redirected to the user account page - /my-account?id=wiener Account page after successful 2FA for wiener

🧑‍💼Step 3: Log in as carlos

  • Now, we will try to bypass 2FA by directly changing the URL to user account page after entering the password.
  • Enter the credentials carlos:montoya in login page and send the request. Login attempt for carlos captured in Burp
  • Now change the URL from /login2 to /myaccount?id=carlos
  • Hence, we are now successfully being logged in as carlos without completing 2FA. Account access by changing URL to /myaccount?id=carlos without completing 2FA
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrates a 2FA enforcement flaw: the server does not require server-side verification of the OTP before allowing access to authenticated endpoints.
  • Exploit: submit the password for carlos, then navigate directly to /my-account?id=carlos to access the account without completing 2FA.
  • Fix: enforce 2FA server-side — issue and require a server-side session/auth token only after successful OTP verification, and deny access to protected endpoints until that token is present.