28 Лют, 2024

Flawed two-factor verification

The security procedure known as two-factor authentication (2FA), also called dual-factor authentication or two-step verification, requires users to authenticate themselves using two separate authentication factors.

Typically, the user reads verification codes from a physical device of some sort. A lot of websites with high security now give users a special tool for this, like the keypad or RSA token that you may use to access your work laptop or online banking. These specialized devices not only have the benefit of directly producing the verification code, but they are also designed with security in mind. Websites frequently use specialized mobile apps, like Google Authenticator, for the same purpose.

However, some websites text verification codes to a user’s mobile device. It is possible to abuse this, even though it technically still verifies the factor of “something you have”. First of all, instead of being generated by the device itself, the code is being sent via SMS. Interception of the code becomes possible as a result. SIM swapping is another risk, in which a perpetrator gets a SIM card bearing the victim’s phone number through deception. All SMS messages sent to the victim—including the one with their verification code—would subsequently be received by the attacker.

An important point in the field of АУТСОРСИНГОВАПентест and also plays an important role in ethical hacking.

Приклади експлуатації

To better understand the vulnerability, we will go through the postwigger lab with Buropsuite.
We will need the original GET-request, which we will run on our own account, get the 2FA code and then we will send this request to the repeater, where we will change the “verify” parameter from our assigned account name to the victim’s name and try to bruteforce the 2FA code.

Sometimes the flawed logic of two-factor authentication means that after a user has performed the first login step, a website cannot adequately verify that the same user performs the second step.

First we log into our account and intercept the GET-request and send it to the repeater.

Let’s take a closer look at our request we need to change the verify=wiener parameter
to the victim’s username – verify=carlos

Then we made and sent a temporary 2FA for the victim’s account

Then we log out from our account , and we type incorrect 2FA code for capture our POST-request and then we will send it to intruder 

In Burp intruder we need to rename our POST-request  verify parameter to = carlos  

and we click button add$  на mfa-code 
We did it for future bruteforce

We start to bruteforce and need to wait ..

After a successful brute force attack we get the code 302, it means that our password 2FA was found.

Now all we have to do is copy the request and send it to the browser
Where we can see that everything is done correctly.

Scanners and tools for detection flawed 2FA logic

Detecting flawed logic in two-factor confirmation (2FA) frameworks frequently requires a nuanced approach, as these vulnerabilities may not be as clear Для distinguish через computerized filtering alone

For detecting flawed 2FA logic specifically, a manual testing approach is often necessary. This involves:

Session Management Tests: Checking how sessions are dealt with some time recently and after 2FA verification

2FA Bypass Attempts: Attempting to get to secured assets without completing the 2FA challenge or by controlling the 2FA handle.

Rate Limiting and Lockout Policies:  Testing the application`s response to repeated failed 2FA attempts to identify potential DoS or brute-force vulnerabilities

1. Burp Suite

A thorough tool for web application security testing that can be used for manual and automated scanning. The Burp Suite’s Intruder and Repeater tools are useful for manually testing and modifying 2FA processes, even though the suite itself might not be able to detect errors in 2FA logic.
To check for bypasses or logical errors, manually replay or alter 2FA requests using the Repeater tool.

2. OWASP ZAP

An open-source web application scanner that offers both manual and automated exploitation tools, akin to Burp Suite.
Check 2FA endpoints for logic errors or vulnerabilities, like inconsistent session handling or evadeable prompts, by using the manual request editor.

3. Nmap with NSE Scripts

Nmap’s scripting engine (NSE), which is primarily a network scanner, can be expanded to carry out more specialized web application checks, such as checking for particular kinds of authentication and session management problems.
To find misconfigurations in services with 2FA enabled, use personalized NSE scripts.

4. Metasploit Framework

An exploit development, testing, and execution platform that is open-source. It has modules that can be used to test authentication methods among other things related to web application security.
Make use of Metasploit modules made to check for vulnerabilities in authentication systems that might affect 2FA logic.

5. SQLMap

An automated program that finds and takes advantage of SQL injection vulnerabilities, which are occasionally used to get around or compromise 2FA protections.
 Use it to find SQL injection flaws that could compromise user information or session tokens and result in a 2FA bypass.

6. WPScan

A WordPress security scanner that can identify a variety of flaws, such as shoddy plugin or theme authentication systems that could lead to 2FA logic.
Use Case: Check WordPress installations for configurations or plugins that could compromise the integrity of 2FA.

Average CVSS score

Depending on the particulars of the vulnerability, the application’s context, and its possible impact, the Common Vulnerability Scoring System (CVSS) score for flaws in two-factor verification (2FA) logic can vary greatly. The confidentiality, integrity, and availability of the system and its data could be seriously jeopardized by any flaw that compromises 2FA, which is typically implemented as an extra layer of security for authentication processes.

A 2FA logic flaw may have a Medium (CVSS 4.0-6.9) to High (CVSS 7.0-8.9) severity score, especially if it makes it easy for unauthorized users to access sensitive functions or data. If the vulnerability successfully gets around 2FA safeguards and causes immediate, serious harm, it may even get as high as Critical (CVSS 9.0–10.01) severity.

To get an accurate CVSS score, each vulnerability must be evaluated individually, taking into account the particulars of the impacted system, the vulnerability’s potential impact, and how simple it is to exploit.

 

Top CVES related to flawed 2FA verification

These CVEs highlight a variety of vulnerabilities that impact two-factor authentication systems, ranging from specific problems with software implementations and physical device manipulations to brute-force attacks and authentication bypasses. It’s crucial to apply the required patches or mitigation techniques to safeguard these vital security components and to routinely check CVE databases and security advisories for the most recent vulnerabilities impacting two-factor authentication systems.

CVE-2020-12409: By using a brute force approach to generate one-time passwords (OTPs), attackers were able to get around two-factor authentication in Apache Guacamole 1.1.0.

CVE-2018-1000136: Before 2.0.0-beta.3, 1.8.4, and 1.7.13, Electron gave remote attackers the ability to circumvent authentication by using a specially constructed URL, which could have an impact on applications that used two-factor authentication.

CVE-2019-3560: Due to an error in the way it limited attempts to send a 2FA setup email, WhatsApp had a problem whereby an attacker could have reset the 2FA PIN during the 2FA setup.

CVE-2020-15120: Physical attackers were able to get around two-factor authentication by using the same device in a different USB port due to a vulnerability in the FIDO2 component of Nitrokey Nitrokey FIDO U2F.

CVE-2019-12280: An attacker might have been able to take control of the update process, insert malicious code, and get around the application’s two-factor authentication with the Zoom client for meetings (for Mac).

CVE-2021-3156: Through the use of sudoedit -s and a command-line argument that ends with a single backslash character, a local user (or a malicious program) may have been able to circumvent two-factor authentication in Sudo prior to 1.9.5p2.

Foundational Knowledge about flawed 2FA verification

1. Gain an understanding of authentication mechanisms by starting with the fundamentals and learning about the various kinds (something you have, something you know, and something you are).

2. Examine Two-Factor Authentication: Find out how to use common implementations of 2FA, such as hardware tokens, SMS-based One-Time Passwords, authenticator apps, and biometrics.

3. Know how to use social engineering and phishing to evade two-factor authentication by deceiving users into disclosing their one-time passwords or by tampering with user sessions.

4. Examine how attackers can intercept 2FA tokens in transit using man-in-the-middle (MitM) attacks, particularly in less secure implementations such as email- or SMS-based 2FA.

5. Account Recovery Vulnerabilities: Find out how attackers may circumvent 2FA by taking advantage of weaknesses in account recovery procedures.

6. Implementation Mistakes: Examine how poorly implemented 2FA systems can result in weaknesses like falling back to less secure authentication methods or not rate-limiting OTP entries.

7. Study the recommendations for securely implementing two-factor authentication (2FA), which include using secure channels to deliver tokens, managing sessions appropriately, and using secure application logic.

8. User Education: Recognize the significance of teaching users about safe 2FA procedures, like securing their authentication tokens and devices and identifying phishing attempts.

9. Discover how risk-based or adaptive authentication techniques modify authentication requirements according to the circumstances surrounding a login attempt.

10. Decentralized Authentication: Examine the effects of new authentication technologies on two-factor authentication (2FA), including blockchain-based and decentralized identity systems.

Courses and Resources

Cybrary: Offers courses on cybersecurity fundamentals, including authentication and access management.


Coursera: Search for courses on cybersecurity and web application security that cover authentication mechanisms, including 2FA.


OWASP: The Open Web Application Security Project provides extensive resources on web application security, including best practices for implementing 2FA.

Книги

“Applied Cryptography” by Bruce Schneier: Provides foundational knowledge on cryptographic principles that underpin secure authentication systems.


“The Art of Deception” by Kevin Mitnick: Offers insights into social engineering attacks, including those targeting 2FA systems.


“Hacking Exposed 7: Network Security Secrets and Solutions” by Stuart McClure, Joel Scambray, and George Kurtz: Includes sections on modern security challenges, including flaws in 2FA systems.

Висновок

In the field of cybersecurity, ethical hacking and Пентест flawed two-factor verification poses a serious problem. Even though two-factor authentication (2FA) adds a second layer of verification on top of passwords to improve security, it is not impervious to vulnerabilities. A number of factors can contribute to 2FA system flaws, such as shoddy implementation, a user interface that invites error from the user, reliance on unsecure communication channels, and sophisticated phishing attacks that can circumvent or take advantage of 2FA mechanisms.

In summary, two-factor verification is an essential part of contemporary cybersecurity defenses, but it is not infallible. Maintaining the integrity and security of user accounts and sensitive systems requires identifying and fixing the vulnerabilities present in 2FA systems. The effectiveness of two-factor authentication (2FA) can be strengthened to make it a more dependable defense against unauthorized access through ongoing development, education, and the adoption of more secure technologies.

The security procedure known as two-factor authentication (2FA), also called dual-factor authentication or two-step verification, requires users to authenticate themselves using two separate authentication factors.

Typically, the user reads verification codes from a physical device of some sort. A lot of websites with high security now give users a special tool for this, like the keypad or RSA token that you may use to access your work laptop or online banking. These specialized devices not only have the benefit of directly producing the verification code, but they are also designed with security in mind. Websites frequently use specialized mobile apps, like Google Authenticator, for the same purpose.

However, some websites text verification codes to a user’s mobile device. It is possible to abuse this, even though it technically still verifies the factor of “something you have”. First of all, instead of being generated by the device itself, the code is being sent via SMS. Interception of the code becomes possible as a result. SIM swapping is another risk, in which a perpetrator gets a SIM card bearing the victim’s phone number through deception. All SMS messages sent to the victim—including the one with their verification code—would subsequently be received by the attacker.

An important point in the field of АУТСОРСИНГОВА, Пентест and also plays an important role in ethical hacking.

Інші Послуги

Готові до безпеки?

зв'язатися з нами