In this article, we are telling you about how to bypass website two factor authentication, you must also have heard about website two factor authentication at some time.
How all this is done, how hackers bypass the limit of website two factor authentication in a website, it is being told by doing practical here, here we are telling you everything on the lab of portswigger.
All this is being told to you for educational purpose, you should never use it wrongly. We are also telling you here on which kind of websites the limit of two factor authentication can be bypassed.
Note – This article is only for educational purpose. Don’t miss use your knowledge and skills.
What kind of website can be bypassed two factor authentication ?
Before going about the two factor authentication, how to bypass website, you should know that on which kind of websites we can do this attack only then you can try this attack
As we all understand this very well, over time all the things are secured, in such a way there are some such websites whose two factor authentication can be bypassed.
Let us try to understand you by this example as if you have got the admin panel of a website and also you have got the username and password.
Hack social media passwords via data breaches
But on login, you are asked otp, in such a way, if you give wrong otp then you are told wrong and here the limit is also set to try otp twice from one ip address, after that the account is logout.
But if we can bypass the limit of a website with the help of burp suite, then we can say that we have found a bug to bypass the website two factor authentication.
When you fully read our How to bypass Website Two factor authentication article and solve the lab, then you yourself understand how this attack is done.
Also Read
What is access control vulnerabilities
Information disclosure vulnerability
What is business logic flaw vulnerability
How to bypass Website Two factor authentication ?
Let us now tell you how the website two factor authentication is bypassed, we are telling you all by solving a lab on the port swigger website.
Here first of all we have to access lab like you have been told in all the articles how to access any labs here you also get lab by simple bypass lab in this website.
After accessing lab, the page is open in front of you in this way, here you have to login, you get login information in the lab itself as you can see in the image.
How to get phone information using send sms
After login here, you are asked for otp, here it happens in any real website as well, as we know otp is asked everywhere, here if we give wrong otp twice, then logout from the account is done
To do all this practical we have to first create a rule in the burp suite as you can see in the image, in this way you get the option to create a rule here.
After doing all this, you have to click on include all urls, here all the url addresses are shown which we have visited after running the burp suite, this has been told to you in all the articles before.
After doing all this, you have to add the rule as you can see in the image, in this way you can create the rule and use it to bypass any website two factor authentication.
Here after doing all this process, the macro recorder will be open in front of you, it shows you all urls, you have to find the login url there as you can see in the image above.
After selecting urls in this way, you have to click on test macro, here you do not get confused in any way, you are getting three shows and we have used 4 url for macro test.
After doing the macro test, you have to click on OK, after doing all this, we have to use the payload, here it may also be that you may find it a bit difficult but as you use it, you will find it all easy.
After the macro test, something gets opened in front of you in this way, if you have even got the process done properly, in this way you can also get macro 1 by adding it here.
After doing all this you get the url in http history where we have given wrong otp as you can see in the image here wrong otp is also showing you
We have to send the same url to the intruder as we send some request to the repeater, similarly we have to send this rul to the intruder as you can see in the image.
When the intruder has a request send, you have to show something like this, here we have to select payload like logout is given on giving otp twice, from here we can try otp as many times and also logout does not happen.
After doing all this, you have to do some settings for payload, like you have to give threads, how many requests should be sent at once, as well if you want to do other settings, you can do according to your requirement.
After doing some basic settings, you have to make settings in the payload option like what kind of payload you want to use, here we want numbers, in such a way we are using numbers as you can see in the image.
After doing all this, you have to start a start attack, by doing this, you start trying otp on your target. It may take any time here, as if we have tried all the numbers here, in such a number only works.
Something like this is attacked on some kind of live website here the bug is that we have bypassed the limit to try otp, now here we can try otp as many times as we want, in this way Website Two factor authentication is bypassed
The Conclusion
I hope that you have come to know about the website two factor authentication, we have told you here by solving a lab of website two factor authentication.
Here we have skip this lab because it takes a lot of time to try otp but we have told you the whole process of solving this lab, so you can wait, you will get otp
In the same way, you can solve other labs of Website Two factor authentication, here if you can solve this lab of Website Two factor authentication, you can easily solve labs like simple bypass.
Here you get more labs of authentication, which you can improve your skills by solving, if you have problems in solving website two factor authentication or any kind of lab, you can ask in the comments.
If you like our article with website two factor authentication, then you must share it, as well as you can also tell on which topic you want articles.
Subscribe to our blog for latest updates
Sharing is Caring
Thankyou
Leave a Reply