3. Lack of brute-Force Protection:
-----------------
📌type 2FA code and capture request using burpsuite
📌send request to intruder and send request for 100–200 times .
📌At 2FA Code Verification page, try to brute-force for valid 2FA and see if there is any success.
4. Missing 2FA Code Integrity Validation:
-------------------
📌Request a 2FA code from the attacker’s account.
📌Use this valid 2FA code in the victim 2FA Request and see if it bypasses the 2FA protection.
5.2FA Refer Check Bypass:
----------------
📌navigate to the page which comes after 2FA or any other authenticated page of the application.
If there is no success, change the refer header to the 2FA page URL.
6. Enabling 2FA Doesn’t Expire Previous Session:
-------------------
In this scenario, if an attacker hijacks an active session before 2FA, it is possible to carry out all functions without a need for 2FA.
11. CSRF on 2FA Disable Feature:
---------------
📌 Navigate to 2FA Page and click on “Disable 2FA” and capture this request with Burp Suite & generate a CSRF PoC.
📌 Send this PoC to the victim, and check if CSRF happens successfully and remove the 2FA from the victim account.
• • •
Missing some Tweet in this thread? You can try to
force a refresh