PortSwigger Labs: 2FA Broken Logic

Posted 369 Words

The PortSwigger WebSecurity Academy

The PortSwigger WebSecurity Academy is a great way to learn more about web security, but not too surprisingly it is also intended as a showcase for Burp Suite.

However you can of course use ZAP instead of Burp, and in this series of ZAP Blog posts I will show you how.

The second lab has the tag PRACTITIONER and you can find it here. I want to show you how to solve this lab using ZAP and specifically the Fuzzer tool.

Lab Instructions

This lab’s two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos’ account page.

  • Your credentials: wiener:peter
  • Victim’s username: carlos

You also have access to the email server to receive your 2FA verification code.

Manual Testing

After logging into our account and using verification code, we closely explore POST /login2 request and we can see that the verify parameter is used to determine which user’s account is being accessed.

Login Requests

If we try to login to this account multiple times, we see that the verification code is always a 4 digit number.

Log out from your account.

Attacking with ZAP

  1. First we need to resend the GET:login2 request to force the system to generate a verification code for Carlos. Sites -> GET:login2 -> right click -> Open/Resend with Request Editor…
  2. Change “verify” to “carlos” and click Send Verify Carlos
  3. We need to resend POST:login2()(mfa-code) with a different value for “verify”. Sites -> Right Click -> Open/Resend with Request Editor…
  4. Change “verify” to “carlos” and click Send Verify Carlos MFA
  5. Now we need to send POST:login2()(mfa-code) to the Fuzzer. Sites -> Right Click -> Attack -> Fuzz…
  6. Highlight the value of mfa-code
  7. Now we need to add the payloads: Add -> Add -> select Type: Numberzz and add these values: Select Numberzz
  8. Click Add
  9. Now we need to expand our payloads to be 4 digits: Select the first row in the Payloads window and click Processors… -> Add and add these values: Add Expand Processor
  10. Click Add
  11. Click “Start Fuzzer”

We are looking for different HTTP Code. In this example, it’s 302.

Fuzz Results

If we open the response from this request we can see that we solved the lab and in this example, the mfa-code is 1056.

MFA code

ZAP rocks! 🤘