2 Factor Authentication (2FA) Bypass Techniques

Table of Contents
  1. Response Manipulation
  2. Enter the code 00000
  3. Changing the password
  4. Enter NULL
  5. Advanced Brute
  6. 2FA Code leakage in Response
  7. Status Manipulation
  8. CSRF - Turn-off 2FA
  9. 2FA Code re-usability
  10. Click-Jacking on 2FA Disable Feature
  11. Session Issues: Enabling 2FA doesn’t expire previous one
  12. JS file Analysis: Some expert says there may be a chance to break by gaining useful info
  13. Missing 2FA code integrity validation
  14. Business Logic bugs
  15. Sharing unused tokens
  16. OAuth compromise
  17. Re-send code and reset the limit
  18. Guessable cookie
  19. Subdomains / APIs: using old versions that don’t support 2FA (so it is directly bypassed)
  20. MITM/Social Engineering (Out Of Scope in bug-bounty hunting)
  21. Duplicate-Generator
  22. SIM Jacking
  23. Backup Code Abuse
  24. Framing the 2FA Disabling page