2FA simple bypass

https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/authentication-apprentice/authentication/multi-factor/lab-2fa-simple-bypass

Description

This lab's two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user's 2FA verification code. To solve the lab, access Carlos's account page.

• Your credentials: wiener:peter

• Victim's credentials carlos:montoya

Solution

Starting login as wiener user, after inserting username and password, the system asks us a 4-digit security code.

We can request the numeric secure code clicking on Email client button:

inserting it in the dedicated field, we log us correctly as 'wiener':

https://0a6b0064035e981b809621c7009f0018.web-security-academy.net/my-account?id=wiener

Save the URL page: https://0a6b0064035e981b809621c7009f0018.web-security-academy.net/my-account?id=wiener

Checking request there's two login form:

'Login' page:

and 'Login2' page, with GET method:

and with POST method:

All clear, Logout from wiener's account and try to login into carlos's account (carlos:montoya):

clicking on "Email client" button we can't see dedicated code message.

Remember the URL relative to 'wiener' account, we can try to change it manually and jump/bypass the 2FA check, solving the lab:

https://0a6b0064035e981b809621c7009f0018.web-security-academy.net/my-account?id=carlos