2factor auth bypass
HTML-код
- Опубликовано: 10 сен 2022
- An attacker can perform an Authentication bypass...
check it before comment this not a bug
Note: Hi there,
Thanks for the report. What you are showing is that the authentication cookies are not being expired on logout. This issue is considered out-of-scope as documented in our vulnerability disclosure policy as it is classified as a low severity vulnerability (P4 or P5) according to Bugcrowd’s Vulnerability Rating Taxonomy. As stated in our policy, we do not pay bounties for such issues.
Best, Наука
That's not a bug. You've copied even the userID.. That's a p5. Unless you demostrate where the application leaks respective user ID's.
Also the userid is encrypted so we can't even brute force it
@@ravichander941 mehn...
He even paste the cookies that never expired
@@naumanbackupstests746 😅aiseee
I really agree with all of you and after the report I also thought about it but it was accepted as a p4.
the company also told me in this same topic.. so, they considered as a session not expire...
the question as triager where did you got the cookies of response , there is set-cookie response that can't be bypass 2fa and if so it would be p4 or p5
Bro please check the description box. I have already mentioned
Was that a 2fa bypass through a response manipulation ?
yes
intresting ✌✌✌✌
on which platform you find this program?
www.nuclino.com/vulnerability-disclosure-policy
This is not a bug nor 2fa bypass you just copy the cookies and paste it on the response.
I agree. But session cookie must be expire after log out.
@@bugbountypoc4096 please change the title it help to understand the poc for all
This is not a bug bro
2fa bypass using old session. That is also a part of a 2fa bypass. this report was considered as p4.
That's not a bug.
2fa bypass using old session. That is also a part of a 2fa bypass. check it on google
@@bugbountypoc4096 but that means the attacker would already have to have access to the account, making the 2fa bypass useless since the attacker is already in the account
where the bypass ?
2fa bypass using the old cookie. why does this not bypass????
@@bugbountypoc4096 Nice and how you got the old cookie ?