loading...
Cover image for Day-5: A day off but...

Day-5: A day off but...

fenilshah16 profile image FENIL SHAH ・1 min read

Day-5: Sunday...Hmmm! Today I did nothing In research but I read Two Medium blogs/Write-Ups one on ATO (Account Takeover) and one on Bypassing 2FA (2 Factor Authentication). And gave the rest of my time to family. Also realized Family talks actually makes your stress/Confusion low!😛

Lessons learned:

ATO by Avanish Pathak:

  • Changing value in Email Parameter in response request can lead to ATO!
  • The company was asking for OTP for login, what he did was: Put in the write email and code and then,
    • Capture the request in Burp ==> Response request ==> Change the Email in Email Parameter to victim's email with correct OTP code ==> BOOM!
  • For more In detail Information check out his blog! Link in Resource down there!

2FA bypass by Seqrity:

  • Subdomain enumeration helps alot! It opens a whole lot of opportunities to attack the target!
  • If the main domain is asking for 2FA Don't forget to check out that other domains are?, You can change the Host Header and can bypass 2FA!
  • For more In detail Information check out his blog! Link in Resource down there!

PS: Happy Father's Day to all Fathers out there!❤️


Resources:

ATO WriteUp by Avanish Pathak: https://medium.com/@avanishpathak46/an-interesting-account-takeover-vulnerability-f5bf6a89152c
2FA bypass by Seqrity:
https://medium.com/@seqrity/bypass-2fa-like-a-boss-378787707ba

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Posted on by:

fenilshah16 profile

FENIL SHAH

@fenilshah16

Hello devzzz, My name is Fenil Shah(18), I'm a security enthusiast as well as a Mozillian. I break into websites in my free time!

Discussion

markdown guide