Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V2 - Authentication

Missing brute-force protection for two-factor authentication

POC

  1. Send the request to Burp Intruder that requires the 2FA code
  2. Brute force 2-factor code parameter
  3. Observe difference in the length of response between correct and incorrect code

Impact

Low-Medium

Likelihood

Low