OpenSkillIndex← back to search

Hacktricks-skills 2fa-bypass-testing

Security testing skill for auditing 2FA/MFA/OTP implementations. Use this skill whenever you need to test two-factor authentication security, audit MFA implementations, check for OTP bypass vulnerabilities, or perform authorized penetration testing on authentication systems. This skill covers direct endpoint access, token manipulation, session hijacking, rate limiting analysis, and other 2FA bypass techniques for security assessments. Make sure to use this skill when the user mentions 2FA testing, MFA security, OTP vulnerabilities, authentication bypass, or any security assessment involving multi-factor authentication.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/2fa-bypass/SKILL.MD
source content

2FA/MFA/OTP Security Testing

A comprehensive skill for authorized security testing of two-factor authentication implementations.

⚠️ Authorization Required

This skill is for authorized security testing only. Ensure you have:

  • Written permission from the system owner
  • A valid scope of work
  • Legal authorization for penetration testing

Overview

This skill provides systematic approaches to test 2FA/MFA/OTP implementations for common vulnerabilities. Use these techniques to identify weaknesses in authentication systems during authorized security assessments.

Testing Categories

1. Direct Endpoint Access

What to test: Can you bypass 2FA by accessing protected endpoints directly?

Techniques:

  • Access the endpoint that comes after 2FA verification directly
  • Modify the Referrer header to mimic navigation from the 2FA page
  • Check if the application validates the 2FA completion state

Example:

GET /dashboard HTTP/1.1
Host: target.com
Cookie: session=...
Referer: https://target.com/2fa-verify

2. Token Manipulation

What to test: Can tokens be reused, extracted, or exploited?

Techniques:

  • Reuse previously valid authentication tokens
  • Extract tokens from your own account and test on another account
  • Check if tokens are exposed in API responses
  • Look for token validation weaknesses

3. Session Management

What to test: How does the application handle sessions around 2FA?

Techniques:

  • Create sessions for multiple accounts
  • Complete 2FA on one account, then attempt to access another
  • Test if session state is properly isolated between users
  • Check for session fixation vulnerabilities

4. Verification Link Exploitation

What to test: Can email verification links bypass 2FA?

Techniques:

  • Use account creation verification links to access profiles
  • Check if verification links grant full access without 2FA
  • Test link expiration and reuse behavior

5. Password Reset Mechanisms

What to test: Does password reset bypass 2FA?

Techniques:

  • Reset password and check if login requires 2FA
  • Test if reset links can be used multiple times
  • Verify if new credentials bypass 2FA requirements
  • Check for race conditions during password reset

6. OAuth Integration

What to test: Can OAuth flows bypass 2FA?

Techniques:

  • Check if OAuth login requires 2FA
  • Test OAuth token reuse across sessions
  • Verify OAuth state parameter handling
  • Test trusted OAuth platform compromise scenarios

7. Rate Limiting Analysis

What to test: Are rate limits properly implemented?

Techniques:

  • Attempt multiple OTP verifications
  • Check for rate limit headers in responses
  • Test if rate limits apply to all endpoints
  • Look for client-side vs server-side rate limiting
  • Important: Check if response differs when valid OTP is sent vs invalid (e.g., 200 vs 401)

8. Brute Force Testing

What to test: Can OTP codes be brute-forced?

Techniques:

  • Test OTP length and character set
  • Check for rate limiting on OTP attempts
  • Test slow brute force attacks (if flow rate limits exist)
  • Verify if code resend resets rate limits
  • Test for infinite OTP regeneration with simple codes

9. Race Conditions

What to test: Can timing attacks bypass 2FA?

Techniques:

  • Send multiple requests simultaneously
  • Test concurrent OTP verification attempts
  • Check for timing-based vulnerabilities in session creation

10. CSRF/Clickjacking

What to test: Can 2FA be disabled via CSRF?

Techniques:

  • Attempt to disable 2FA via CSRF attacks
  • Test clickjacking on 2FA settings pages
  • Verify CSRF token implementation

11. "Remember Me" Features

What to test: Can "remember me" bypass 2FA?

Techniques:

  • Test predictable cookie values
  • Check if "remember me" bypasses 2FA on subsequent logins
  • Verify cookie security settings (HttpOnly, Secure, SameSite)
  • Test IP address impersonation via X-Forwarded-For header

12. Legacy Versions

What to test: Are older versions vulnerable?

Techniques:

  • Test subdomains for outdated implementations
  • Check API version endpoints (/v1/, /v2/, etc.)
  • Verify all versions have proper 2FA enforcement
  • Look for deprecated authentication flows

13. Backup Codes

What to test: Are backup codes properly secured?

Techniques:

  • Check if backup codes are generated immediately upon 2FA activation
  • Test for backup code exposure via CORS/XSS
  • Verify backup code validation and expiration
  • Check for unauthorized backup code retrieval

14. Information Disclosure

What to test: Does the 2FA page leak information?

Techniques:

  • Check for phone number disclosure on 2FA page
  • Test for account existence disclosure
  • Verify error message consistency (don't reveal if account exists)
  • Look for sensitive data in responses

15. OTP Construction Errors

What to test: Is OTP generation predictable?

Techniques:

  • Analyze OTP generation algorithm
  • Check if OTP uses predictable data (timestamps, user data)
  • Test for weak random number generation
  • Verify if user can reconstruct OTP from available data

16. Decoy Requests

What to test: Can you obfuscate brute force attempts?

Techniques:

  • Craft decoy requests to mislead rate limiting
  • Understand application's rate limiting behavior
  • Test if decoy requests affect rate limit counters

Testing Workflow

Phase 1: Reconnaissance

  1. Map all authentication endpoints
  2. Identify 2FA implementation type (SMS, TOTP, email, etc.)
  3. Document session handling and cookie structure
  4. Identify all authentication flows (login, OAuth, password reset)

Phase 2: Initial Testing

  1. Test direct endpoint access
  2. Check token handling and exposure
  3. Verify session management
  4. Test verification link behavior

Phase 3: Advanced Testing

  1. Test rate limiting thoroughly
  2. Attempt controlled brute force (with authorization)
  3. Check for race conditions
  4. Test CSRF on 2FA settings
  5. Analyze "remember me" functionality

Phase 4: Documentation

  1. Record all findings with evidence
  2. Document reproduction steps
  3. Provide remediation recommendations
  4. Assess risk level for each finding

Common Tools

  • Burp Suite - Request manipulation and automation
  • Custom scripts - Automated testing for rate limits, brute force
  • Session management tools - Cookie manipulation and analysis
  • Timing analysis tools - Race condition detection

Reporting Findings

When documenting 2FA bypass vulnerabilities:

  1. Title: Clear description of the bypass method
  2. Severity: Based on impact (Critical/High/Medium/Low)
  3. Description: How the bypass works
  4. Steps to Reproduce: Detailed reproduction steps
  5. Evidence: Screenshots, request/response logs
  6. Impact: What an attacker could achieve
  7. Remediation: Specific recommendations to fix

References

Legal Disclaimer

This skill is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing any system. This skill should only be used by security professionals conducting authorized penetration tests or security assessments.