Share this page!

Hossein NafisiAsl Profile picture
Twitter logo
Jun 6 β€’ 10 tweets β€’ 2 min read
#Secret6
8 Awesome 2FA Bypass Techniques πŸ—οΈ

#bugbountytips πŸ§΅πŸ‘‡πŸ»
1⃣ Access Next Endpoint Directly

- Just try to access the next endpoint directly
- If this doesn't work, try to change the Referrer header as if you came from the 2FA page
2⃣ Sharing Unused Code

- Check if you can get for your account a token and try to use it to bypass the 2FA in a different account.
3⃣ Leaked Code

- Is the token leaked on a response from the web application?
4⃣ Password Reset Function

- In almost all web applications the password reset function automatically logs the user into the application after the reset procedure is completed.
5⃣ Reuse 2FA Code

- Also, try requesting multiple 2FA codes and see if previously requested Codes expire or not when a new code is requested
6⃣ Brute Force

- There is any limit in the amount of codes that you can try, so you can just brute force it.
7⃣ Response Manipulation

- Change failed response to success response
- Change failed status code to success status code
8⃣ Rate Limit Bypass

- Using Similar Endpoints: /sign-up --> /Sign-up
- Blank char in params: code=1234%0a
- Change Origin IP using header
- Add extra params: /resetpwd?someparam=1
8 Awesome 2FA Bypass Techniques
By 'HackTricks'
github.com/NafisiAslH/Kno…

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Hossein NafisiAsl

Hossein NafisiAsl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MeAsHacker_HNA

Hossein NafisiAsl Profile picture
May 18
#Secret4
Top 9 Tools to Automate Work with Dorks βš”οΈ

+ Top 9 Dork Collection that Every Hunter Needs πŸ—’οΈ

#bugbountytip πŸ§΅πŸ‘‡πŸ»
1/ Top 9 tools to automate work with dorks

github.com/IvanGlinkin/Fa…
github.com/rlyonheart/0xd…
github.com/TheSpeedX/SDor…
github.com/ankitdobhal/As…
github.com/opsdisk/pagodo
github.com/Smaash/snitch
github.com/BullsEye0/dork…
github.com/TebbaaX/Katana
github.com/dwisiswant0/go…
2/ Google dorks

github.com/BullsEye0/goog…
github.com/sushiwushi/bug…
github.com/rootac355/SQL-…
github.com/unexpectedBy/S…
github.com/thomasdesr/Goo…
github.com/arimogi/Google…
github.com/aleedhillon/70…
Read 12 tweets
Hossein NafisiAsl Profile picture
May 17
How I get RCE via Dependency Confusion πŸ’Ž

#bugbountytips πŸ§΅πŸ‘‡πŸ»
1/ Introduction πŸ“–

Dependency Confusion occurs when software installer script is tricked into pulling malicious code file from public repository.

How I found this bug?
2/ Recon πŸ”¦

1⃣ I started with some Shodan recon and I found a IP that belongs to TARGET.

2⃣ Using directory brute forcing tools like Dirsearch and FFUF, I found a package.json file contained all the packages which was installed in the server.
URL: /ui/package.json
Read 7 tweets
Hossein NafisiAsl Profile picture
May 16
#Secret3
6 Questions that Guarantee your Bounty 😈

#bugbountytipsπŸ‘‡πŸ»πŸ§΅
1/
 How does the app pass data?

parameter or path?
2/
 How/Where does app Talk about users?

Cookie or API Calls?

uid or username or email or uuid?
Read 8 tweets
Hossein NafisiAsl Profile picture
May 12
How We hacked Admin Panel just by JS file:
(step by step)
#bugbounty #bugbountytips

πŸ§΅πŸ‘‡πŸ»
1/ Introduction πŸ“–

Team gave mobile app and website.

We didn’t waste of time on mobile app and decided to work on website.

We just tried to find Admin Panel because main domain was just a single page to download the app.
2/ Subdomain Enumeration πŸ”Ž

After brute forcing the subdomains we found that website had a subdomain like that admin.target.com

When we visited the subdomain we just got that Login Portal
Read 8 tweets
Hossein NafisiAsl Profile picture
May 11
Have you ever get bounty by using default credentials?
Read this thread πŸ”₯

#bugbountytips
πŸ§΅πŸ‘‡πŸ»
You need to have a special word list for each vendor.

This thread has most known vendors default credentials that gathered from several sources.

Default Credentials for Apache Tomcat:
2/
Default Credentials for Cisco
Read 8 tweets
Hossein NafisiAsl Profile picture
Mar 16
#Secret2
Bug Bounty with One-Line Bash ScriptsπŸ’΅πŸ˜Ž

You can mention your favorite script. I will add them to this thread.
#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
1/ #Secret2

🎯 Hunt #XSS:
πŸ‘‰πŸ» cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
πŸ‘‰πŸ» cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
2/ #Secret2

🎯 Hunt #SQLi:
πŸ‘‰πŸ»httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(