This write-up demonstrates a real-world scenario where a flawed implementation of two-factor authentication (2FA) allows an attacker to **fully compromise another user’s account** — without needing their password, session, or interaction.
The case stems from a **logic flaw** in how the server links 2FA verification codes to users. Instead of securing 2FA tokens to the authenticated session, the application blindly trusts a `verify` parameter in the URL.
---
#### Lab Setup
- Attacker credentials:
`wiener:peter`
- Victim username:
`carlos`
- The attacker has access to an email inbox that receives Carlos's 2FA code.
---
#### Goal
Access Carlos’s account page by exploiting the broken 2FA logic.
---
#### Step 1: Log In with Your Own Account
Start Burp Suite. Log in using your credentials:
```
POST /login
username=wiener&password=peter
```
You’ll be prompted to complete a 2FA step.
Observe the follow-up request:
```
GET /login2?verify=wiener
```
This generates the 2FA token — the `verify` parameter indicates which user the token is for. **This is the core of the vulnerability**.
---
#### Step 2: Generate a 2FA Code for the Victim
Send the following request in **Burp Repeater**:
```
GET /login2?verify=carlos
```
This triggers the backend to generate a 2FA token for **Carlos**, and sends it to his email address. You, as the attacker, have access to it.
![[CleanShot 2025-07-14 at 22.39.01.png]]
---
#### Step 3: Re-authenticate as Yourself and Trigger 2FA
In a browser or via Burp:
1. Login again as `wiener:peter`
2. When prompted for the 2FA code, submit an **invalid** one (e.g., `000000`)
This causes a 2FA failure but retains the session state needed to proceed with `/login2`.
---
#### Step 4: Brute-force Carlos's 2FA Token
Send a request to:
```
POST /login2
Content-Type: application/x-www-form-urlencoded
mfa-code=XXXXX
```
Use **Burp Intruder**:
- Set payload on `mfa-code`
- Brute-force from `000000` to `999999`
- Monitor responses for **HTTP 302** (success)
![[CleanShot 2025-07-14 at 22.43.51.png]]
This indicates the correct token has been found, and you're now authenticated **as Carlos**.
![[CleanShot 2025-07-14 at 22.41.21.png]]
![[CleanShot 2025-07-14 at 22.43.25.png]]
---
#### Step 5: Complete the Attack
Copy the successful request or cookie into your browser.
Navigate to `/my-account`.
Carlos's account page is displayed. Lab is solved.