2FA
Bypasses
- Response Manipulation (Intercept Response and change it to 200, falses to trues…)
- 2FA Code Reusability
- 2FA Code Leakage in Response
- Password Reset Disable 2FA
- CSRF on 2FA Disabling
- Lack of Brute-Force Protection
- Clickjacking on 2FA Disabling Page
- Enabling 2FA doesn’t expire Previously active Sessions
- Bypass 2FA with null or 000000
- Direct access to a page, jump 2FA process
- 2FA code based on timestamp
Open ID
acr_values can be manipulated as peeer RFC.