webPromedium

Lab 288 — VaultPay — 2FA Bypass via Pre-Authentication JWT

hackadvisor

Task: banking platform with 2FA that issues JWT before OTP verification, containing otp_verified:false claim. Solution: use pre-authentication JWT to access API endpoints that don't validate the otp_verified claim, retrieving flag from account settings.

$ ls tags/ techniques/

jwt nodejs authentication_bypass express api_security otp 2fa_bypass banking_platform

jwt_analysisapi_endpoint_enumerationpre_authentication_token_abusemissing_authorization_check

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 301 — VaultLine — 2FA Bypass via Rate Limit Evasion— hackadvisor
[web][Pro]Lab 354 — VaultAPI — JWT Authentication Bypass via JWE-Wrapped PlainJWT— hackadvisor
[web][Pro]Lab 341 — KeyVault2FA — SSRF via OTP Account Import— hackadvisor
[web][Pro]Lab 215 — NestVault — 2FA Bypass via Incomplete Session Verification— hackadvisor
[web][Pro]Lab 350 — VaultKeeper— hackadvisor