2FA Bypass techniques

2FA Bypass techniques

1. Response Manipulation
   — — — — — — —
   In response if “success”:false
   Change it to “success”:true
2. Status Code Manipulation
   — — — — — -
   If Status Code is 4xx
   Try to change it to 200 OK and see if it bypass restrictions
3. 2FA Code Leakage in Response
   — — — — — — — —
   Check the response of the 2FA Code Triggering Request to see if the code is leaked.
4. JS File Analysis
   — — — — — — —
   Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
5. 2FA Code Reusability
   — — — — — — — —
   Same code can be reused
6. Lack of Brute-Force Protection
   — — — — — — — -
   Possible to brute-force any length 2FA Code
7. Missing 2FA Code Integrity Validation
   — — — — — — -
   Code for any user acc can be used to bypass the 2FA
8. CSRF on 2FA Disabling
   — — — — — — — -
   No CSRF Protection on disabling 2FA, also there is no auth confirmation
9. Password Reset Disable 2FA
   — — — — — — — -
   2FA gets disabled on password change/email change
10. Backup Code Abuse
    — — — — — — — -
    Bypassing 2FA by abusing the Backup code feature
    Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
11. Clickjacking on 2FA Disabling Page
    — — — — — — — —
    Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
12. Enabling 2FA doesn’t expire Previously active Sessions
    — — — — — — — -
    If the session is already hijacked and there is a session timeout vuln
13. Bypass 2FA with null or 000000
    — — — — — — — —
    Enter the code 000000 or null to bypass 2FA protection.