| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Authentication (2FA Bypass) |
| Difficulty | Apprentice |
| Objective | Access Carlos's account page |
| Note | Own credentials wiener:peter, victim credentials carlos:montoya |
2FA Simple Bypass¶
Logging in as wiener:peter first to understand the flow, we hit "Please enter your 4-digit security code."
Clicking the email client button shows the exploit server inbox with the 2FA code.
Entering the code gets us into the account:
My Account
Your username is: wiener
Your email is: wiener@exploit-0a9100b8048c67e381cb2424015700b3.exploit-server.net
Looking at the requests involved, there are two separate steps: /login and /login2.
POST /login HTTP/2
Host: 0add000404e267a481a9253d00fa0035.web-security-academy.net
Cookie: session=eyNyF86aypqx2dQcW9u0fwKA9c5JxWJC
username=wiener&password=peter
POST /login2 HTTP/1.1
Host: 0add000404e267a481a9253d00fa0035.web-security-academy.net
mfa-code=1594
So the session cookie from /login already represents a "logged in, pending 2FA" state before /login2 is ever hit. Logging in as carlos:montoya instead (the victim's known credentials, just missing the 2FA code), intercepting the request right at the /login2 step. Changing the path from /login2 to /my-account:
This returns 200 OK. Checking in the browser:
We're in Carlos's account. Simply changing the URL to /my-account right after /login (without ever submitting an MFA code) grants the account page directly.
Lab is solved