Vulnerability Category: A2-Broken Authentication
Vulnerability Description: Two-factor authentication (2FA), sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user’s credentials and the resources the user can access. Bypassing the two step verification leads to unauthorized access to the resource.
Impact: An attacker can gain access to the victim account or access to the unauthorized resources.
Recommendation:
1) Server should always issue randomized tokens
2) Server should have validation check whether the user has provided OTP value in the fields
3) Server should not reveal any kind of OTP codes in the response
Severity : Medium
CVSS v3.0 Score: 6.5
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
How to Test:
1) Check the confirmation tokens can be re-usable after it is being used.
2) Check 2FA values can be brute forceable
3) Check if the OTP value can be bypassed by hitting the API call generated after right OTP submission.
4) Check the request where you can modify/delete some change on the 2FA function.
Tools to Use:
- Burp Suite to capture the request and response
Note: If i wrote any mistakes in my posts please notify me I will rectify and learn more about it
