2FA - Forced browsing
Try accessing different endpoints directly with the avilable token2FA - Response Manipulation
change : {succes:"false"} -> {success:"true"}2FA - Response manipulation status code
change 403 -> 2002FA - Reusable Codes
using the same code twice for bypassing validation2FA - Lack of bruteforce
Bruteforce the pin 2FA - lack of bruteforce with Additional Headers
try to Bypass ratelimit using these headers:
1. X-Originating-IP: 127.0.0.1
2. X-Forwarded-For: 127.0.0.1
3. X-Remote-IP: 127.0.0.1
4. X-Remote-Addr: 127.0.0.1
5. X-Forwarded-Host : 127.0.0.1
6. X-Client-IP : 127.0.0.1
7. X-Host : 127.0.0.1
8. Forwarded: 127.0.0.1
9. X-Forwarded-By: 127.0.0.1
10. X-Forwarded-For-IP: 127.0.0.1
11. X-True-IP: 127.0.0.12FA - Cross token usage
Use the token A on Account B2FA - Bypass using 0Auth
Try loggin in using 0Auth this may bypass 2fa2FA - No limit to send OTP by company
Send as many as request to the company to waste as much money as can2FA - Bruteforce - IP based bruteforce
Try bypassing the rate limit protection using BURPIPROtator Plugin2FA - Previous OTP not expiring
1. Get a OTP 12345
2. GET a new OTP 877678
3. Try using the 12345
4. if its working you can try getting as many as OTP's to increase the chances of bruteforcing2FA - Password Change
After changing the password the webapp may not ask for 2FA confirmation