Lab: 2FA simple bypass

login as wiener:peter

see the email client which contains the security code

we can see here in the first login

the application is setting up a session cookie for the first login

then setting up another session cookie for the second login which is the security code in MFA

then we will try to bypass this

first we have to login as carlos using montoya as pass

then change the directory from /login2 to /my-account

since we already have a session token from the first login attempt

with using only a password

now we dont need a security code from the email to login

PreviousLab: Brute-forcing a stay-logged-in cookieNextAccess Control

Last updated