Email OTP Bypass in 2FA
2-Factor Authentication Bypass
Scenario:
You are a penetration tester hired by SecureCorp to assess the security of Craw.in's new user authentication system. Craw.in uses a 2FA system that sends an OTP to the user's registered email address.
Question 1.
During initial reconnaissance, you notice the registration page doesn't require email verification. This could lead to what type of attack?
Question 2.
While reviewing the account recovery flow, you find you can request a password reset even if 2FA is enabled. Could this create an attack vector?
Question 3.
You observe the OTP is numeric, and 6 digits long. A brute-force attack might be possible. What is the maximum number of OTPs in the keyspace?
Question 4.
While analyzing network traffic, you find the OTP is transmitted in the URL parameter. Is this a secure transmission method?
Question 5.
You discover that if you send multiple OTP requests rapidly, some earlier OTP codes still work even after newer ones are generated. This is a form of what vulnerability?
Question 6.
The OTP validation server does not properly validate the length of the OTP. If i send a 7 Digit OTP to Validation server?
Question 7.
You try entering the same OTP multiple times in a short period. The system does not block the IP Address or the user account. This vulnerability can allow an attacker to perform what type of attack?
Question 8.
In the user profile, you change your phone number, which is another 2FA, but it doesn't send a confirmation OTP to the new number. This makes the user account vulnerable to what kind of attack?
Question 9.
You accidentally send a negative number (-123456) instead of a positive OTP code, and the system accepts it. What type of vulnerability?
Question 10.
While setting up 2FA, the system shows a QR code. Can a user use that QR code more than once to setup 2FA.
Question 11.
You enter the correct username but intentionally introduce a delay of 2 minutes before entering the valid OTP. Does the system account get locked after a set amount of time?
Question 12.
If you find an endpoint that leaks whether an account exists or not without proper rate-limiting, what type of vulnerability is this?
Question 13.
You bypass the 2FA by exploiting a vulnerability in the "Forgot Password" functionality, allowing you to reset the password without the OTP. What type of bypass?