AppSec Tales VI | 2FA - Pentestmag

AppSec Tales VI | 2FA

AppSec Tales VI | 2FA

by Karol Mazurek


Application Security Testing of the 2FA form guidelines.

INTRODUCTION

This is the sixth article in the AppSec series which describes how to test 2FA forms to ensure a secure authentication process.
The advice in this article is based on:

  • OWASP Web Security Testing Guide
  • OWASP Application Security Verification Standard
  • NIST recommendations
  • bug bounty reports
  • own experience.

I will provide a short test sample, a potential impact or an attack scenario, and a possible solution to the problem at each point.

GUIDELINES

In most of the below examples, the attacker is able to bypass two-factor authentication.

I. FORCE BROWSING

Skip to the restricted area when asked for a 2FA code.

Source: Own study — Changing the URL to navigate to /account, when asked for 2FA.
Source: Own study — Intercepting and changing the Referrer header as if came from the 2FA page.

2FA should be checked before granting authorization to any restricted area.

II. BROKEN LOGIC

Check the integrity of the 2FA.

  • An attacker could hijack the victim’s account by using their own credentials and then changing the value of the account cookie to any arbitrary email address when submitting the verification code in the second step of the signing-in process.
Source: Own study — Changing cookie to the victim and brute-forcing 2FA code using Intruder.

The entire authorization process should be consistent.
The next steps should refer to the previously entered data.

III. BROKEN VERIFICATION CODE VALIDATION

Fuzz the code parameter value.

Source: Own study — Testing broken Verification code validation of 2FA feature (fuzzing wordlist).

The API should properly validate the verification code.

IV. SHARED VERIFICATION CODE

Use generated by the attacker 2FA code on the victim account.

Source: Own study — Testing shared verification code.

The OTP should be associated with the account for which it was generated.

V. ANOTHER USER REUSABLE VERIFICATION CODE

Reuse an attacker’s OTP on the victim's account.

Source: Own study — Testing reusable verification code.

The verification code should not be reusable and associated with a single account.

VI. STATIC & REUSABLE VERIFICATION CODE

Resend the verification code and check if it changes.

Source: Own study — Testing the static verification code.

The verification code should be random for each resend.
The old verification code should be invalidated after generating a new one.

VII. TIME-BASED VERIFICATION CODE GENERATOR

Generate verification code at the same time for the two different users.

import requests
url = "https://2FA_GENERATOR_URL"
headers = {}
victim = {"LOGIN": "victim", "PASS":"password123"}
attacker = {"LOGIN": "attacker", "PASS":"password123"}
requests.post(url, headers=headers, data=victim, verify=False)
requests.post(url, headers=headers, data=attacker, verify=False)

Verification code should be generated using a secure source of randomness, single-use, time-limited and bound to account.

VIII. BRUTE-FORCIBLE VERIFICATION CODE

Check if the verification code can be guessed.

Source: Own study — Testing brute-forcible verification code.
Source: Own study — Brute-forcing verification code using Burp Intruder.

Rate-limiting should be implemented.
The code should expire after 10 minutes.
Code should contain at least 20 bits of entropy (at least 6 random numbers).
Verification should be limited to 5 incorrect attempts per verification code.

IX. NO RATE-LIMITING — CODE GENERATION

Generate the OTP 1000 times in a short time.

  • The attacker could conduct a DoS attack on a victim’s phone or cause a financial loss to the company by generating tons of SMS.
Source: Own study — Setting up Burp Intruder for the OTP generation rate-limit test.

Restrict the consecutive requests through mechanisms like time delay, CAPTCHA, or other controls.

X. LOCKING MECHANISM BYPASS— HEADER

Use additional headers after triggering the OTP generator lock.

  • An attacker could bypass the locking mechanism on the login page.
Source: Own study — Using headers to bypass the locking mechanism.
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwarded-Host: 127.0.0.1

The locking mechanism should not be based on other request elements than the user account variable. Additionally, avoid using unnecessary headers.

XII. LOCKING MECHANISM BYPASS— PATH & METHODS

Use similar paths, random parameters, and methods after the lock.

  • The attacker may bypass the locking mechanism.
Source: Own study — Testing locking mechanism parameter bypass.

The locking mechanism should not be based on other variables than the user account.

XIII. LOCKING MECHANISM BYPASS— SOURCE IP ROTATION

Use a different IP address to bypass the lock.

Source: Own study — Testing locking mechanism source IP bypass (IP Rotate).

The locking mechanism should not be based only on the IP address.

XIV. DENIAL OF SESSION LIMITING MECHANISM

Check if the locking mechanism also destroys an active user session.

  • An attacker could block the victim’s account.
Source: Own study — Testing Denial of a Session limiting mechanism.

The locking mechanism should not invalidate active user sessions.

XV. DENIAL OF AUTHENTICATION LIMITING MECHANISM

Check if the locking mechanism also destroys an active user session.

  • An attacker could block the victim’s account.
Source: Own study — Testing Denial of a Session limiting mechanism.

The locking mechanism should not invalidate active user sessions.

XVI. CLIENT-SIDE VERIFICATION

Issue a wrong code and manipulate the server response.

  • The technique can be used to find new endpoints, and trigger some new requests without looking into a JS code. It is very handy when the JS code is very big and you have a little time.
Source: Own study — Intercepting response to the login request.
Source: Own study — Changing response from “403 Forbidden” to “200 OK” and forwarding it.

Ensure that client-side security checks are duplicated on the server-side.

XVII. CREDENTIALS OVER AN UNENCRYPTED CHANNEL

Check if data is transferred via HTTP or as a parameter in the URL.

  • Sensitive data may be logged by the browser, the webserver, and forward or reverse proxy servers between the two endpoints.
  • It could be also displayed on-screen, bookmarked, or emailed around by users.
  • They may be disclosed to third parties via the Referer header when any off-site links are followed.
Source: Own study — Example of sensitive data transmitted in the path and using HTTP.

Sensitive data in the URL and sent using not secure Hypertext Transfer Protocol increases the risk that it will be captured.

XVIII. VERIFICATION CODE LEAK

Check the source code of the response, cookies, and headers.

Source: Own study — Base64 encoded verification code in the response header.

The verification code should not be disclosed in any place.

XIX. PERSONAL INFORMATION LEAKAGE ON THE 2FA PAGE

Check if the application censors the personal data on the 2FA page.

The application should respond with generic information on the 2FA page.
If there is a mobile number being used it should be censored.

XX. IGNORED 2FA

Check if 2FA is required in all critical points of the application.

2FA should be enforced at all endpoints that may access or affect a user’s account.

XXI. UNVERIFIED ADDITION | CHANGE | DELETION OF 2FA

Check if the application does verify the modification of 2FA settings.

  • If the attacker successfully exploits another flaw, like CSRF or XSS in the application, he could modify or disable 2FA.
  • With temporary access to the victim’s account (e.g. physical access to a device with an active session), an attacker could modify or disable 2FA.
Source: Own study — An example of a simplified and secure 2FA access process.

The application should enforce a verification on the 2FA settings page.
On each 2FA settings modification, the user should be notified.

XXII. BROKEN SESSION INVALIDATION ON 2FA CHANGE

Check if the application invalidates the sessions after activation of 2FA.

Source: Own study — Testing the broken session invalidation on 2FA change.

The application should invalidate the session on the server-side after the user activates the 2FA feature or modify any 2FA settings.

XXIII. DISABLING 2FA VIA OTHER FEATURES

Check if other functionalities can disable 2FA.

Source: Own study — Testing disabling 2FA via other features.

2FA should be required for any critical app functionality such as password recovery, and it should not be disabled other than through 2FA settings.

XXIV. CSRF

Check the CSRF protection on the 2FA settings page.

  • An attacker creates a web page, inserts a hidden CSRF form, then lures the victim to visit it — the 2FA will be disabled or modified automatically.
Source: Own study — Generating CSRF PoC using Burp Suite.

Implement an unpredictable token in each HTTP request.
Such tokens should, at a minimum, be unique per user session.
Check CSRF Prevention Cheat Sheet from OWASP.

XXV. INPUT VALIDATION

Check the AppSec Tales I and AppSec Tales II.

Check the Input Validation Cheat Sheet from OWASP.

XXVI. INPUT LENGTH LIMITATIONS

Check parameter values length limits on each 2FA form.

Implement proper length limitations on the data received from the user.

FINAL WORDS

Testing any element of a Web Application is like sailing the open ocean.
Treat the WSTG like the compass and the ASVS like azimuth.

However, do not forget that someone had to invent it. Therefore you always have to look for new ways that you will not find in the WSTG or here, but you have to find them yourself.

Nevertheless, I hope you will find this article useful and keep coming back to it. I also encourage you to comment if you have an idea for a point for this article or if you find any bugs here ;]


August 30, 2022
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013

"PowerShell for Pentesters"
Join our newsletter and receive one of our premium issues for free.
x