AppSecNotes
Attack Multi-Factor Authentication
  1. Analyse non-standard cookie fields such as verify and any field where the username is sent. You might be able to change it and log in with another user.
  2. Compare the login flow of admin an non-admin accounts and note down the differences in the requests when there are different screens in the authentication process (e.g. the Referer and X-Origin-URL headers).
  3. Check if all pages in the flow require the 2FA token to access them. E.g. we might be able to access a 'my-account' page without the 2FA token and just with the regular login token.
  4. Check if all functionalities require the 2FA token to perform them.
  5. Check if old tokens still work.
  6. Check if a token generated for 1 user works for another.
  7. Is the token weak and brute-forceable? If yes, try to crack it for another user. If it doesn't work because maybe a valid token hasn't been created yet for the user we are trying to login as, try to force its creation by manipulating one of the requests that is made right after the login (e.g. the GET to the page to type the MFA token/received code).