AppSecExplained

Index < START HERE
- My courses
- How to get started from zero
📽️Live Stream Content
- Resource of the week
Discovery / Recon
- Methodology
- Content discovery / recon
Common vulns
Bypassing controls
- Rate limiting
- WAF Bypasses
Scripts
- Docker-compose.yml files
  - Wordpress
  - SQLi testing labs
- PHP scripts
  - RCE Function Check
- Wordlists
  - Single characters
  - SQLi
Code review
- Getting started
- Sinks
Links worth your time

Powered by GitBook

On this page

Common vulns
Authentication

Attacking MFA

PreviousAttacking password-based authentication NextAuthentication lab setup & writeups

Last updated 2 years ago

Was this helpful?

CtrlK

What is it?
Checklist

Was this helpful?

What is it?

Multi-Factor Authentication (MFA) is a method of confirming a user's identity by using multiple pieces of evidence (factors), typically something they know (like a password), something they have (like a physical token or a mobile device), and something they are (like biometric data).

A simple example

A web application requests a password (first factor - something the user knows), then a one-time password sent to a mobile device (second factor - something the user has). An attacker could attempt to bypass MFA by stealing both the user's password and the OTP, or by exploiting vulnerabilities in the MFA implementation.

Common MFA bypass techniques can include:

Phishing attacks to collect both factors
Exploiting insecure backup/recovery methods
Man-in-the-middle attacks
Exploiting implementation weaknesses

Other learning resources:

OWASP: https://owasp.org/www-community/controls/Multi-Factor_Authentication
Duo Security: https://duo.com/docs/duosec-v1
Google Authenticator: https://github.com/google/google-authenticator

Checklist

Understand the MFA implementation
- What factors are used?
- What backup/recovery methods exist?
- Is there a fall-back option to less secure methods?
Go through the MFA processes
- Initial enrollment process
- Login process with MFA
- Recovery/Backup process
Are there any implementation weaknesses?
- Does the application allow "remember me" functionality?
- Can OTPs be predicted or intercepted?
- Are session tokens securely handled?
Can we bypass MFA?
- Can we bruteforce the token?
- Exploiting insecure backup/recovery methods
- Can a new device be added without proper verification?
Are there any backdoors?
- Is there an alternative login flow that bypasses MFA?
- Is there a less secure service that doesn't require MFA but grants similar access?
- Are there any APIs or resources that do not enforce MFA?

Deactivation process

Is there a secure lockout mechanism after multiple failed attempts?

Is there any notification on registration of a new device?

Can the notification be suppressed?