Exploiting weak 2FA
· What is Two-Factor Authentication?
As name indicates two factor, it means we needs authentication of two layers in order to access any application/resource. Like first entering the password and then entering the a code or something sent to the mobile by the application we usually call it 2 Factor Authentication (2FA)
As breach towards credentials are more common, so company wants extra protection. For this company generally ask:
i. Asking Couple of security question which you entered at the time of registrations
ii. Sending OTP on your registered mobile no
iii. Authenticating you by using google authenticator
iv. Asking to click on a link sent over the Email
2FA is combination of you know (secret questions), you have (credit card, phone), you are (finger print, voiceprint).
2FA are of two types:
i. Hardware or Hard Token: Company provides user a small hardware device such as RSA token which looks like a pen drive that shows a random 6 digit value on the screen which refreshes after 30 mins.
ii. Software or Soft Token: OTP’s via SMS or on email, google authenticator comes under this.
Advantage/Need:
i. Provides extra layer of security.
ii. Mostly people use same password for multiple websites. Therefore, in order to protect them it is very essential that we provide an extra layer of security.
· Working
I am explaining it on basis of OTP.
i. User Visits the application and enters his/her normal login credentials.
ii. After authentication application redirect user to 2FA page where it is asking user to enter OTP that is sent to his on registered phone no via SMS.
iii. After entering the right OTP user gets authenticated to application.
· Exploitation:
We have an application, application have login and registration both functionality. So first, we have to register a user there then we can access the application completely. At the time of registration, application adds a note on the webpage which states this
“If you are working for securitybyng, please use your @securitybyng.ninja email address”
So it means that the application may be providing some of the high privilege access to the users with the emails @securitybyng
For registration, application asks for username, password and Email.
As I clicked on “Register” button, I got.
The application is actually verifying the email address before providing the access to the application. So it is not possible to use any of the email to which we doesn’t have the access as we will not able to verify that.
After using this email, we successfully got the registration link with temp token.
Copy this link and open it in browser. After that your registration will be successful and you will get the access to the application.
Now from same credentials I try to login. There I one tab of “My account” inside the account. As I clicked on that I can see that we can change our email
Lets try with a dummy email to look at the functionality with the email change.
The email is updated and there were email verification carried out this time. So lets try to change our email to securitybyng.ninja
As update the email to *@securitybyng.ninja I got the admin panel where I can carry out tasks as an administrator.
· Bypassing technique of 2FA:
As it provide extra layer of security but it can be bypassed if it not implemented properly. There are some common technique to by pass 2FA.
i. Brute Forcing the token: if the attempts to enter the 2FA doesn’t have any rate limiting then the token can be bruteforced, some companies use 4–6 digit OTP so it is easy to bruteforce them.
ii. Manipulation with token: It is possible to tamper with tokens created by devices.
a) By providing blank values instead of token
b) Copy old token value and pass it as current token.
iii. Application that have 2FA authentication functionality, check all subdomain of that application. It may be possible that login to the subdomain doesn’t have the 2FA so we can login via any subdomain and can bypass the 2FA requirement.
iv. Copy the URL after authenticating with 2 FA such as the dashboard or home url . Now logout and login with your credentials and without entering the 2FA try to hit that url it may bypass the 2FA requirement
v. Sometimes in password reset functionality logs you in after a reset so it may bypass the 2FA requirement
vi. By modifying 2FA token request where we can set 2FA “False” in place of “True”. So it will not ask 2FA code.
