This write-up demonstrates a real-world scenario where a flawed implementation of two-factor authentication (2FA) allows an attacker to **fully compromise another user’s account** — without needing their password, session, or interaction. The case stems from a **logic flaw** in how the server links 2FA verification codes to users. Instead of securing 2FA tokens to the authenticated session, the application blindly trusts a `verify` parameter in the URL. --- #### Lab Setup - Attacker credentials: `wiener:peter` - Victim username: `carlos` - The attacker has access to an email inbox that receives Carlos's 2FA code. --- #### Goal Access Carlos’s account page by exploiting the broken 2FA logic. --- #### Step 1: Log In with Your Own Account Start Burp Suite. Log in using your credentials: ``` POST /login username=wiener&password=peter ``` You’ll be prompted to complete a 2FA step. Observe the follow-up request: ``` GET /login2?verify=wiener ``` This generates the 2FA token — the `verify` parameter indicates which user the token is for. **This is the core of the vulnerability**. --- #### Step 2: Generate a 2FA Code for the Victim Send the following request in **Burp Repeater**: ``` GET /login2?verify=carlos ``` This triggers the backend to generate a 2FA token for **Carlos**, and sends it to his email address. You, as the attacker, have access to it. ![[CleanShot 2025-07-14 at 22.39.01.png]] --- #### Step 3: Re-authenticate as Yourself and Trigger 2FA In a browser or via Burp: 1. Login again as `wiener:peter` 2. When prompted for the 2FA code, submit an **invalid** one (e.g., `000000`) This causes a 2FA failure but retains the session state needed to proceed with `/login2`. --- #### Step 4: Brute-force Carlos's 2FA Token Send a request to: ``` POST /login2 Content-Type: application/x-www-form-urlencoded mfa-code=XXXXX ``` Use **Burp Intruder**: - Set payload on `mfa-code` - Brute-force from `000000` to `999999` - Monitor responses for **HTTP 302** (success) ![[CleanShot 2025-07-14 at 22.43.51.png]] This indicates the correct token has been found, and you're now authenticated **as Carlos**. ![[CleanShot 2025-07-14 at 22.41.21.png]] ![[CleanShot 2025-07-14 at 22.43.25.png]] --- #### Step 5: Complete the Attack Copy the successful request or cookie into your browser. Navigate to `/my-account`. Carlos's account page is displayed. Lab is solved.