Menu Icon

Cobalt Vulnerability Wiki

Cobalt Vulnerability Wiki

Categories

Toggle Arrow IconV2 - Authentication
Authentication Bypass2-Factor Authentication (2FA) BypassCAPTCHA Bypass - X-Forwarded-ForLack of Password ConfirmationLack of Verification EmailMail Bombing in the Contact FormMissing brute-force protection for two-factor authenticationNo Rate Limiting on a FormNo Rate Limiting or Captcha on Login PagePassword Cracking for Common/Weak Passwords when Password Policy is WeakUsername/Email Address EnumerationUsing Default Credentials Weak 2FA ImplementationWeak Login FunctionWeak Password PolicyWeak Registration Implementation over HTTP
Toggle Arrow IconV3 - Session ManagementToggle Arrow IconV4 - Access ControlToggle Arrow IconV5 - Validation/SanitizationToggle Arrow IconV6 - CryptographyToggle Arrow IconV7 - Error LoggingToggle Arrow IconV8 - Data ProtectionToggle Arrow IconV9 - CommunicationsToggle Arrow IconV10 - Malicious CodeToggle Arrow IconV11 - Business LogicToggle Arrow IconV12 - Files ResourcesToggle Arrow IconV13 - APIToggle Arrow IconV14 - Config
Arrow Left

V2 - Authentication

Missing brute-force protection for two-factor authentication

POC

1. Send the request to Burp Intruder that requires the 2FA code


2. Brute force 2-factor code parameter


3. Observe difference in the length of response between correct and incorrect code



Impact

Low-Medium



Likelihood

Low


Ready to get started?

our platformschedule a demo
Aircall logoAlgolia logoCangageCredit KarmaDattoEgnyteHubspotMovinimageMulesoftPendoSentaraSmarshSnowSolarisTalkdeskVerifoneKubraAxel SpringerNuna

Join some of these great clients we're proud to have helped