Hi, This write-up is about a program that is public but Disclosure policy is enable on this program so we assume the domain is : domain.com
In recon process, I’ve found that there are two websites that are the same :
2FA was enabled on www.domain.com and when you create an account on this domain you can login on beta.domain.com without entering the 2FA code.
By default, the 2FA was disabled. So, I ‘ve decided trying bypass 2FA and enabling it on www.domain.com. After entering username and password you should enter 6 character (digit and chars) and after 5 minutes the code will be expired. Therefore brute force doesn’t work here.
Open Burp and intercept request after entering password and change Host header to: beta.domain.com
Enter 000000 in twofactorcode field
And forward request, BOOOM.
#infosec #bug-bounty #writeup #security