Day-5: A day off but...

th3lazykid

FENIL SHAH

Posted on June 21, 2020

Day-5: A day off but...

Day-5: Sunday...Hmmm! Today I did nothing In research but I read Two Medium blogs/Write-Ups one on ATO (Account Takeover) and one on Bypassing 2FA (2 Factor Authentication). And gave the rest of my time to family. Also realized Family talks actually makes your stress/Confusion low!😛

Lessons learned:

ATO by Avanish Pathak:

  • Changing value in Email Parameter in response request can lead to ATO!
  • The company was asking for OTP for login, what he did was: Put in the write email and code and then,
    • Capture the request in Burp ==> Response request ==> Change the Email in Email Parameter to victim's email with correct OTP code ==> BOOM!
  • For more In detail Information check out his blog! Link in Resource down there!

2FA bypass by Seqrity:

  • Subdomain enumeration helps alot! It opens a whole lot of opportunities to attack the target!
  • If the main domain is asking for 2FA Don't forget to check out that other domains are?, You can change the Host Header and can bypass 2FA!
  • For more In detail Information check out his blog! Link in Resource down there!

PS: Happy Father's Day to all Fathers out there!❤️


Resources:

ATO WriteUp by Avanish Pathak: https://medium.com/@avanishpathak46/an-interesting-account-takeover-vulnerability-f5bf6a89152c
2FA bypass by Seqrity:
https://medium.com/@seqrity/bypass-2fa-like-a-boss-378787707ba

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

💖 💪 🙅 🚩
th3lazykid
FENIL SHAH

Posted on June 21, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Day-11: Read Info-sec Write-Ups!
cybersecurity Day-11: Read Info-sec Write-Ups!

June 27, 2020

Day-5: A day off but...
cybersecurity Day-5: A day off but...

June 21, 2020

Day-3: Bypassing the SOP!💣
cybersecurity Day-3: Bypassing the SOP!💣

June 19, 2020