[This lab](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass) demonstrates a **broken implementation of two-factor authentication (2FA)** where the second factor is **checked only in the UI flow**, not at the back-end level. This allows attackers to **bypass the 2FA step entirely** by accessing authenticated resources directly after login — no verification code needed.
---
##### Step-by-Step Exploitation
###### 1. Log in as Yourself (wiener)
- Enter `wiener:peter` into the login form
- You'll be prompted for a **2FA code**
- Click the **"Email client"** button to read your code
- Copy the 2FA code and complete login (not strictly necessary, but helps to confirm flow)
---
###### 2. Note the Authenticated URL
Once logged in as `wiener`, navigate to:
```
/my-account
```
This is the post-login page that normally requires 2FA to access.
Make note of the URL.
---
###### 3. Log Out
Click "Log out" or clear the session to reset authentication flow.
---
###### 4. Log in as Carlos
- Enter credentials: `carlos:montoya`
- You’ll again be prompted for a 2FA code — but **you don’t have it**
**DO NOT submit anything.**
---
###### 5. Bypass 2FA by Navigating Directly
Instead of providing the 2FA code:
- Manually change the URL in the browser to:
```
/my-account
```
Or send the following request via **Burp Repeater**, after capturing the session:
```http
GET /my-account HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=CARLOS_SESSION
```
✅ If the lab is vulnerable, you will be logged in as **Carlos** without passing 2FA.
Once the page loads, the lab is marked **Solved**.
![[CleanShot 2025-05-07 at 12.23.45.png]]
---
##### Why It Works
- The application sets a valid session **after only verifying the username and password**
- The 2FA verification **is enforced only in the browser flow**, not at the **server-side route level**
- By navigating directly to a protected URL, the server fails to check if 2FA was completed
---
##### Real-World Parallels
- Broken 2FA implementations in custom-built apps or poorly integrated plugins
- APIs or mobile apps that authenticate via token after login, skipping 2FA checks
- Admin panels that enforce 2FA only in the frontend, not backend API calls