➡Missing 2FA Code integrity validation, code for any user account can be used #2FA_Bypass#bugbounty
POST /2fa/
Host: vuln.com
...
email=attacker@gmail.com&code=382923
Try to change email id to victim email id here and code should be remain same
➡No CSRF protection on disabling 2FA, also there is no auth confirmation. #2FA_Bypass#bugbounty
➡2FA gets disabled on password change/email change.
➡Clickjacking on 2FA disabling page, by iframing the 2FA Disabling page and lure the victim to disable the 2FA.
➡Enabling 2FA doesn't expire previously active sessions, if the session is already hijacked and there is a session timeout vuln.
➡2FA code reusability, same code can be reused.
➡Enter code 000000 :-> #bugbounty
. . .
POST /2fa/
Host: vuln.com
. . .
code=00000
🏹Use The Whole IP Range For Testing SSRF
(198.0.0.1-255) #bugbounty
. . .
🏹Obfuscate Strings In URL Encode or Case Transformation (Blocked Words Bypass)
🏹Use Registered Domain Names That Resolves To 127.0.0.1
➡Change single character
➡Sending empty value of token
➡Replace the token with same length
➡Changing POST / GET method
➡Remove the token from request
➡Use another user's valid token
➡Try to decrypt hash
➡Try changing the request method, for example POST to GET
➡Try remove the value of the captcha parameter
➡Try reuse old captcha token
➡Convert JSON data to normal request parameter
➡Using "X-Original-URL" header
➡Appending %2e after the first slash
➡Try add dot (.) slash (/) and semicolon (;) in the URL
➡Add "..;/" after the directory name
➡Try to uppercase the alphabet in the url