Bypass 2FA/OTP

 Bypassing two-factor authentication:-

  • 2FA, just try to access the next endpoint directly.
  • Maybe you can reuse an already used token inside the account to authenticate.
  • Is the token leaked on a response from the web application?
  • Using the same session start the flow using your account and the victims account.
  • Check if a **mail **is sent with a **link **to reset the password and if you can reuse that **link **to reset the password as many times as you want.
  • If you can generate a new OTP infinite times, the** OTP is simple enough** (4 numbers), and you can try up to 4 or 5 tokens per generated OTP, you can just try the same 4 or 5 tokens every time and generate OTPs until it matches the ones you are using.

Password-Reset == disable 2fa:-
  • Create an Account and Turn On 2FA.
  • Logout from that account.
  • Now, Go to forget Password-Reset page.
  • Change your password.
  • Now try to log in.
  • If you are not asked to enter a 2FA code, You can report.



Comments

Post a Comment

Popular posts from this blog

How to decrypt message with CryptoJS AES

  Javascript code to decrypt message using crypto js : - data = " IYkyGxYaNgHpnZWgwILMalVFmLWFgTCHCZL9263NOcfSo5lBjAzOZAtF5bF++R0Bi+9c9E+p3VEr/xvj4oABtRWVJ2wlWzLbYC2rKFk5iapFhb7uZCUpO4w4Su3a5QFa2vInjYueziRoqySZd/DpstMJ8rsJ94VGizFFFZ1l0sw1ax+wfBA v5+wHs/hlnHi/ea66KBO3rgXKahvV28h+4bh5etc8RCrmiiNbfg6Oj0jQJDjdYIdW8T9YPOI9E1hih8lbfRnMWcOFJgYekfLpoy5LI525UGnlM46J1k6ekLqsn9FqvbiOOoLgqa4YqBm1i9P0ePyjkME+t+RiL8xXX+ItgOYr9G7kM64wlTJPCW8B/crmUdmGzQNC/hD/u/8wfHBS2f8u6OtQMG/+Kpk1oju8lcUZGI/4S8A6/OuktvQr2zgnbs2aADMrM37Oait/pJ3G73S7NwVT8EaK+X43c0C/fUvW2/bD/rqCNpAh9WQlz4Cj6JHwjbmwuind6aCimF1tHjXuR9FXu+g17sPT4ZkKZ6aeBG+m170XdCGn2hVM0wH1rh3VeCG2u/JFqfuGKGSoqeHeNY/icu9pEhtZDzHd7aPoaMXcWvXC9PjooBf7GM1EPacSdnon1kBobjtKSt1l15DjO5TMrJoX7VO7GotQwo+uI/u5Kop01hBXxyxyggl1/8N0ESohPJoqLDrIwvbGK5kW4B49FVPnx9CMvjZDdSsoxPAh+hx6SPe8Hj0Nx4bRs06cbtOkte/V8QSYIqjiJDleEqPrdiKlvgToZz9L29ZR/3Ln65qU1sq7q9c0SEYxIopV7TdTjFS7y76zDPFZkhzc3DjfLtJo/M1hdtt648APcZdmAIgWH6fh3eJZ0qbiPh8RStYH7I2COmnlMw4+t/B5mlhYVSgwPK2Ir736Mh+P9Bw...
Read more

libcurl (curl-impersonate) bindings for Node.js

  Description  :-   libcurl is a free and easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, Telnet and TFTP. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! Note:- This library cannot be used in a browser, it depends on native code. Installation :- npm i node-libcurl --save Or yarn add node-libcurl Further description :- https://github.com/SwapnilSoni1999/node-libcurl-impersonate
Read more

How to take screenshot on windows

  The Windows key + Print Screen:- To take a screenshot on Windows 10 and automatically save the file, press  the Windows key + PrtScn . Your screen will go dim and a screenshot of your entire screen will save to the Screenshots folder. Alt+Print Screen:- To capture only the active window you're working in, press Alt + PrtScn. Using Snipping Tool:- just press the Windows Key + Shift + S.
Read more