Welcome back to Pentester Diaries, a podcast series that aims to take off the hacker hoodie and have a real conversation about this growing profession.
In this episode, Jon Helmus speaks with Harsh Bothra, a pentester with an appetite for learning and sharing his knowledge. In this episode, they'll examine Multi-Factor Authentication.
Pentester Diaries is multi-formatted, with audio, video, and written versions of the episode below.
Watch the video podcast here
*Also available on Apple Podcasts, Google Podcasts, and Stitcher.
Prefer to read the episode? Below you can find a transcription of the podcast:
Jon Helmus: [00:25]
Welcome everyone to another episode of Pentester Diaries presented by Cobalt.io. Today, I have Harsh, one of the top core members of the community here at Cobalt. Harsh, thanks again for taking the time to be on the show today.
Harsh Bothra: [00:40]
Thank you, Jon, for inviting me to the show. Excited to see what comes next.
Jon Helmus: [00:45]
Yeah man, really excited to talk about what you are presenting today, and thanks again for presenting your own research and sharing it with the community. As someone who works in the offensive security community as well, it's really good that we always give back to our fellow pentesters offensive security professionals so that we share the wealth rather than holding on to it. Thanks, man, for being an advocate to share and to spread the wealth of knowledge because if we're not all learning then it's going to become a snowball effect of some bad things. So, with that being said, let's go ahead and start jumping into what we're going to be talking about today.
So, today we're going to be talking about two-factor authentication bypass techniques which you've actually created a lot of documentation based around. So, awesome stuff man. Before we dive into that though, let's talk about you. It's not a show without talking about who you are. So, if you could let the listeners know– who are you, what are you about, what's your expertise, and your experience?
Harsh Bothra: [01:54]
Yeah, sure. So, I am working as a pentester for quite a while now. It's been like quite six years into the security domain. I started as a normal hacker tinkering around the various things like games, cheating around the games to see if we can win against our competitors. And from there, the spark came into the picture for hacking, hacking software then I got into the bug bounty and pentesting.
So, the idea is all about to make the world secure, specifically spread the knowledge and learn as much as you can as you go. So currently, I mainly work in web applications, APIs, mobile, and network so you can say the complete stack is something that I usually do. I also do freelance maintenance with Cobalt here at Cobalt Core where we again face the same kind of challenges for the various kinds of applications including web applications, APIs, mobile and network applications.
So, this is a little bit about me, and what I do. Apart from that, I have a huge interest in infosec and I really love this community because the day I shared about this two-factor authentication, MindMap and the blog as well, I received a lot of feedback. I received a lot of new things to be added and people help a lot to modify and shape your work. This is really a beautiful domain to pursue and to work with.
Jon Helmus: [03:16]
Yeah man, that's awesome. I love how you mentioned - you're just kind of like a tinkerer, right? You like to try things out, see how they work and that kind of led you into the career that you're in and I think the listeners listening in on more of the Pentester Diaries series, t. They're going to notice that a lot of us, pentesters and offensive security professionals, we are just curious geeky people and that turned our hobbies into a career and we're fortunate that we have turned it into a career.
Harsh Bothra: [03:46]
I think your passion should turn into your profession and that's why the industry moves. Ultimately it is your passion at the start. So, even if it's your profession right now, you are not bored of it. I would say that infosec is one of the domains that I explored during my college b-tech journey when my engineering time that even I messed up with a lot of software's cloud machine learning things. But ultimately, I feel that with this particular domain you have to study a lot of things, a lot of programming languages. You should know at least how the various technologies are working if you want to be a good pentester. So, it's a mix of a lot of things. Continuous learning is one of the key factors that plays an important role in being a pentester. So, it's really a nice thing to be part of this community.
Jon Helmus: [04:31]
You're saying continuous learning and I'm trying to think of like okay, how do we illustrate that to the listeners, what does continuous learning mean and that's really out of scope of this conversation because I think that's something that we could talk about a lot. But quantifying it and saying, okay, continuous learning means you spend this amount of hours every day learning something new and I think it's difficult sometimes for even a lot of us in the infosec world to really stay out of our comfort zone on a daily basis and learn something new.
Harsh Bothra: [05:04]
Yeah, so continuous learning, I would say that just to make sure that your brain doesn't freeze out. So, once you reach to some particular phase of the pentest venue, you know that you are a good web pentester, API, or mobile pentester. Then, after a certain time if you stop learning, you are not aware of what is coming new, what is coming latest and after some time your knowledge would be somewhat obsolete, and it should be really hard to again pick up the pace and learn something again after four years or five years. So, for the same reason, even I started this thing called Learn365, where daily, I spend at least one hour to learn something new. I dig my head around something and I just then post it through Twitter and GitHub so that even the notes are accessible to the world so that they can also have a summary that okay, Harsh is learning something like this, maybe we can also go and get a look at it.
Jon Helmus: [05:53]
You said to secure the world and there's a saying of– the world is yours. It comes from the movie Scarface. And so, the world is yours, so now we live in the technology era where you got to secure that world if you want to be a part of it and not just at an offensive security level, just at a general level. It doesn't matter, which is great to mention because that kind of feeds into our next topic is talking about two-factor authentication which is becoming a big thing right now because single factor authentication doesn't work. You and I as pentesters know it doesn't work. You can put security controls around it, but it still doesn't work.
So, to kind of give some context for the listeners that might not know what it is, can you give a brief introduction to what two-factor authentication is? Also, for the listeners listening know that it also is commonly known as Multi-Factor Authentication. But two-factor authentication, what does that mean?
Harsh Bothra: [07:00]
So, to put it simply, just to let you understand what this single factor or a single authentication is, so you are going to a particular website and entering your password, now you are able to access it. This is what we all used to do a couple of years back. Now, the new thing is implemented that once you verify your first identity, you need to verify one more identity which only you should have access to. Maybe you will receive an OTP on your phone or maybe you will give your biometrics information to a particular application to just verify your second identity. So, when more than one kind of identification comes in the picture, we consider it as a Multi-Factor Authentication, specifically talking about two-factor authentication. There are two layers of authentication as the word clearly describes it.
The first factor could be your password in general or a pin or something like that. Once you enter and verify that application - say, okay, 'hey Harsh, you entered the correct password. Now, let me just quickly check if you have a correct fingerprint or not.' Now, I have access to my fingerprint, and this totally verifies that okay only Harsh can access the application.
So, just to make sure the authentication systems are more secure, these kinds of implementations were implemented across various kinds of applications. Specifically, you will see those in social media applications, banking sector applications. I guess almost every kind of application which somewhat holds confidential or sensitive information.
Jon Helmus: [08:23]
Yep. So, concisely put it. It's just you enter in your password and then before you can access your information, you have to do one more thing and a lot of times like you mentioned with banking. Banking is a big, big thing that uses two-factor authentication and I think that's a good topic to base around for this conversation because we all use banking, and nobody wants their bank account getting hacked into. When you get into your bank account, you put in your password and your email, that's the one factor. There's the first factor of what you use to get in and then you have to use that something you have, something you already are using, something you know which is your password, then you have to use something you have, something you are, something you do. There are those other factors that you have to put in so that's where you get that one-time token. If you access your bank online on your phone, a lot of times you can just scan it with your fingerprint on your phone to wherever the biometric reader is on your phone and that's something you are. So, there's so many different factors but you have to do that next step before you can get access to your bank account. So, why is that important?
Harsh Bothra: [09:37]
So, I would say that to stop the bad actors. I would not use the term hackers because often people say that hacking is a crime and obviously hacking is not a crime. I would say the bad actors or the bad people who might know your password, who might have guessed your password have already said, you are using a weak password or something like that. For any reason you are not using a strong password. So, two-factor authentication is a kind of a protection layer which will help you to be secure even if the first factor, like your password or your pin, is breached or the attacker is able to brute force it or guess it.
So, it's really essential to implement the two-factor authentication because it will kind of reduce the attacks to a very great extent. If the two-factor authentication is implemented correctly and this is one of the base factors that we are going to talk about today. Why two-factor authentication is just not necessary if it's not properly implemented, it can be insecure and it can be as bizarre as the single factor authentication is.
Jon Helmus: [10:39]
So, it's important because it literally is a second step to keep people out of your stuff. And maybe this would be an interesting way to ask about your experience without giving/divulging any proprietary information. But, in your time as a pentester, what are some of the potential damages and attack vectors that you see?
Harsh Bothra: [11:10]
There have been a lot of attack vectors because - the first and foremost thing is the mindset. Whenever you see that the application allows you to put a second factor authentication, the first and foremost thing is that people tend to use the weak password. This is where things go wrong. So, you are trusting the second factor authentication without being sure about the first factor. So, let's assume your first factor is now compromised and the attacker is checking your second factor and by any means possible the second factor is also not properly implemented, and it can be bypassed. You are still not paying attention to the first factor. So, the first thing is the mindset which people usually don't care about. So, this don't care mentality, something is the biggest attack vector for the attackers and bad actors, threat actors across the globe that they use this kind of mentality of the people that if we are using 2FA, if we are using OTP based authentication or some kind of authentication, we are totally secure. So, this is not the case. This is not always true.
Two-factor authentication can be bypassed. During my pentesting experience, I have seen around five to seven techniques myself to bypass into various two-factor authentication implementations. Some applications implement their own authentication. Some use some third parties like Authy or some other sort of implementation.
But again, how you implement things to your code really matters. How you integrate things to your code really matters. Even if you miss a single piece, single validation at any particular point, your application is not secure at all.
Jon Helmus: [12:41]
Yeah, I think I know in my own days of pentesting, I've seen it to where you can capture the OTP, the one-time password,which is the second factor that's that token that you get something and I guess that's technically something that you have because you're given it. So, there's the second factor and I've seen it where you can just enter in arbitrary numbers sometimes into the fields because they don't validate and don't do any kind of checking on it.
Harsh Bothra: [13:11]
Yeah. Sometimes you do the response manipulation like the application will check if the OTP is true, the value of OTP you fill successful is true, you will get access to the application. Even sometimes I have seen attack vectors like you are now at the OTP or the 2FA page and you are now just forcefully navigating to say for example, my account page and push the two-factor authentication or bypass. You are no longer at the 2FA page, just because the application is not checking the access controls, or the authentication checks properly. So, there are a lot of factors around 2FA. 2FA according to me is a very big attack surface in itself because it is prone to a lot of attacks.
Jon Helmus: [13:52]
Yeah, I think the big reason too why it's a big attack vector right now, too, as you mentioned, or it's a big space, like you said, everybody's being told to use it and you're right. So, everyone should use it, but I think because everyone's trying to use it, what happens when everyone is trying to do something that means everyone is also trying to develop a solution for it so that people will use their solution and a lot of times those solutions are developed quickly rather than securely.
So, you'll see a third party company say, okay, well we built this solution in six months when it should have taken us a year, but you should use it so that we can have funding to finish it up for the rest of the year and before you know it, that 2FA solution is essentially - you're just kind of putting insecure product into your secure pipeline and it can create a bunch of –
Harsh Bothra: [14:47]
A lot of companies do that. A lot of companies when they go for funding or something like that, they want to show that their product is completely a proprietary thing. So, even they use their own 2FA implementation, they will use Google's or Facebook's code library for sending the OTPs and sometimes companies - even four-digit OTP which is really an insecure vector to use a four-digit OTP if you are not implementing correct practices, like rate limiting and stuff like that.
So yeah, it's more of a race these days to build a software, launch something into the market and the people are not following secure software development lifecycle. Security will be when we will be bridged. They are keeping security for that time.
Jon Helmus: [15:30]
Just for the listeners, in your own opinion, why is four-digit OTPs bad and what would be a good solution outside of a four-digit OTP?
Harsh Bothra: [15:42]
So, let's say when we talk about four-digit OTP, the number of combinations that an attacker wants to try is between 000 to 9999. So, the number of brute force attempts an attacker wants to make is really less. Now, let's assume that the application is somehow vulnerable to brute force or no rate limiting attacks where an attacker can basically go about sending N number of requests to that particular OTP verification parameter. Now, there is a high chance that within five minutes, within five minutes maximum depending upon their computational complexities and computational power, it can be like less than one minute to crack your OTP. Now, the best practice is to use at least six-digit OTP and that too I suggest not only use digits, use the alphanumeric characters so that it becomes more complex to basically bypass those kinds of restrictions.
Jon Helmus: [16:33]
So, four digits is too short because of the amount of brute force attempts that it takes. While it is a lot of attempts, when you put computing power against it, it's really not that long versus six. It's just those two digits that can add some extra depth to the amount of time it would take. I mean, you can do six, eight - I think eight - I haven't seen a place that uses eight yet but that's not saying it's not going to happen because passwords have had to evolve over the past five years, it's been to where like now you have to use phrases and non-dictionary words and things like that. It's interesting how all this stuff can change itself together and at the end of the day if you're implementing these secure air quotes kind of solutions but they're not secure, it's just like security through obscurity kind of things so that companies can essentially make a buck. They just want to make some money.
So, with all these techniques that we're talking about, I think from pentester to pentester, you and me, when you're in the weeds and you're sitting there testing things, you can get really lost in the terminal or on the screen and you kind of lose focus on the bigger picture and you have done something amazing where you created a 2FA bypass technique MindMap that illustrates the attack paths that pentesters can take in order to bypass 2FA. So, I'd love for you to talk a moment about that. Why did you create it? What did you have in mind when you created it? And then also for any of the pentesters listening, where can they find it?
Harsh Bothra: [18:30]
So, the first and foremost reason when I started this Learn365 day challenge, the first topic that I picked up was this two-factor authentication bypass because you will see two-factor authentication almost at every newly developed application these days whether you are doing bug bounties or pentesting. So, it's really a nice attack vector to look around that. You can create an impactful bug.
Now, when I started posting it on Twitter, the thread was really long. It took around 20 to 25 tweets to just totally put up the things. So, the idea was to collaborate every piece of information into a single thing. Then I started to learn about which service I can use or what is the option to create a MindMap. Now, I can utilize this particular MindMap to go and see, okay, here you have exhausted five methods to perform 2FA bypass, still there are five more left that were right.
But usually, if you are not having something in-front-of-your-desk code or if you are not having something in just top of the head, something is not easy to access for you at the moment, you might get lost as you mentioned between doing a lot of things. Because as a pentester sometimes the time is a constraint. You have to be time-bounded to make sure that you cover each and every test case on that application. Having a MindMap will allow you to focusly work on a particular test case, say bypass techniques so you know that okay, I have tried almost ten techniques. These are most of the techniques which one can try and if you are finding something new, let's say the 11th technique which you can go and add for the next vector.
And the second reason was that the community collaborates and adds their experience as well. So, when some good chunk of people sees that hey somebody just posted something really interesting to help out the people and I know that there is one more vector which is missing, I can go and add. Some people even suggested to add, and we added some more attack vectors to it. Now, we have a good collection of attack vectors or kind of testing methodology that we can perform on two-factor authentications.
So, this was the main goal. There are multiple places you can right now go and find out. You can go to MindMeister and search for this 2FA bypass techniques. You can go to Cobalt's blog. We have a dedicated blog explaining most of the important techniques and how - not only just see what are the ways, but you can also look and see how we bypass. Jon Helmus: [21:02]
Yeah, absolutely. For the listeners listening you can go to Cobalt's Blog and it's over there.
And then, I love how you said you added it out or you put it out so that not only to give back but also you understood that you might have missed something. So, you put it out so that the community can add to it and I think that's amazing because a lot of times even when people put their tools out there, they don't want anybody to add to it. They want it to be theirs. And so, when you're allowing the community to build it out and create this - essentially a roadmap that you can use to test 2FA with because we want to make sure that we're challenging every single control, every single asset, whatever it is that we're doing during a pentest and we want to make sure that we have essentially like a checklist which is this is what it's kind of acting as. It's a checklist with a map of what we need to do at every certain point. As a web app pentester, when we're doing web app pentesting we use the OWASP Top Ten. We use that as kind of like a checklist of what we have to go down and then we can use MindMaps such as the one that you created to help us dig more into the weeds of each bullet point in the top ten. So, it's amazing. That's amazing.
So, with that, what are some of the tips that you would highlight that can prevent and remediate any of these kinds of issues that pentesters such as you and I would exploit during a pentest when targeting 2FA?
Harsh Bothra: [22:47]
So, the first solution is to make sure that the validations are properly checked. If I'm manipulating the response to change the form field or something like that, I am just providing any OTP or something like that. So, most of the attacks in this web application pentest domain, not only this 2FA, can be mitigated if you are implementing the proper validation checks if you are sanitizing the input or validating everything at the proper places.
Secondly, if you are implementing access controls and authorization checks in place so one cannot bypass. Say you are on the 2FA screen and you are directly hitting say my account page or you are bypassing based on reference check so you can mitigate against those issues.
Thirdly, implement a more obscure and more complex OTP or 2FA method like you're using six to eight digits of OTP with alphanumerics or using some special character within it. So, adding more complexity will reduce chances to get it cracked and will require an attacker to basically add more computational power to it.
Then make sure that the functionalities like OTP pin and things like that or any kind of 2FA are secured with proper brute forcing protection and proper rate limiting checks. And if you have all these things in place, most of your infrastructure is secure but still pentesters are really crazy to dig around for new ideas so I hope that these things will be secure but there might be some other bypasses that you should keep on looking for. Even I suggest that the blue teamers or the developers should be also engaging with the infosec community to see how we people are going about bypassing the mitigations that they are putting. So, I feel like the hackers mostly sneak peek into the developer community to see how they are putting some mitigations in but at the same time developers might not be doing the same to see how we are bypassing those mitigations.
So, if you two will collaborate together then the software's industry and this infosec industry is going to have to be next level.
Jon Helmus: [24:50]
I love how you say hackers sneak into the development pipelines or into where the devs are. You can see what they're doing, very hacker-esque. Not to be confused, hacking's still not a crime as Harsh mentioned. There's a difference between cybercriminal activity and being a hacker. If you're a hacker and you're working for an internal company and you go to see what your dev department is doing, that's not anything illegal. So, that's just part of what you're supposed to do. You're supposed to challenge everything within the organization. I love that and I think that's one of the awesome things that a lot of pentesting services, especially at Cobalt, are doing is where we're putting that offensive security mindset or that challenging hacker mindset even at the developer level where we're working with developers in a CI/CD pipeline or a dev-ops pipeline.
It's not about putting the offensive security mindset in the pipeline but about putting that challenging, like 'hey, let's see what we don't know' kind of mindset and explore that.
Harsh Bothra: [25:59]
Yeah, that's true. Even when I work at the various projects at Cobalt, even my current projects, we get a chance to interact with their dev-ops team or their engineering team which gives us more insight into how sometimes we can explore a particular scenario. So, it's more of a collaborative approach when devs and the security team are collaborating together. It's like less painful for both of the parties. Otherwise, if both parties will work in a different manner, it will be a pain somewhere. There will be a big gap between understanding the security issues and things like that. So, this is really one of the best things that I feel while working at the Cobalt. The kind of collaboration that we have is the key to everything.
Jon Helmus: [26:43]
100%, man. Well, we're starting to come to a wrap here, so to kind of conclude everything, we've talked a lot about a lot of different things around two-factor authentication, especially sharing some of your research, some of your examples that you've come across in your real world at pentesting career. But if you had to conclude it all, what are the main takeaways that you would want to advise everyone from everything that we've talked about?
Harsh Bothra: [27:16]
So, the first and foremost thing is never stop tinkering around the things because you don't know that when you are going to find a bypass for something because usually people make a mindset that hey there are ten methods, now there cannot be an 11th method. But there would not be any 11th method unless you will go and try to find it. So, just keep on digging around things, keep on looking at the things, be active in learning something new at least give half an hour to one hour daily to - you can see that it will make a difference out of everything.
Specifically talking about 2FA bypass, make sure that next time when you sit for a pentest or a bug mounted target, you use the MindMap or the blog, read the blog and maybe it will help you out to reach some good security issue for you or your customer or something like that.
Ultimately, make sure that whenever you are writing a report for 2fa or anything specifically, just make sure that the remediation that you are providing are specific to that scenario because that's really important aspect specifically in pentest that we do not provide generic remediation whether we tend to provide remediation which suits the particular scenario of the issue.
Jon Helmus: [28:27]
Awesome. Yeah, I wrote down, keep calm and tinker on, and stay curious and make sure that when you're in your pentest engagements and you're sitting there, having to go through the list of things that you need to check off, make sure that you cover the whole basis because you might miss something. As pentesters sometimes we get lost in the weeds and we forget that hey, we have a job to do, and we got to check everything right.
Harsh Bothra: [29:01]
You got to check everything in a very time-bound manner. So yeah, having checklists handy and having a list of sets of things that you already know is really fruitful.
Jon Helmus: [29:09]
Yeah, time boundaries. That's a big thing for any of the pentesters or one of the aspiring cyber pentesting enthusiasts is that cybercriminals have an unlimited amount of time. We don't. So we have to make sure that we spend our time - we are very cognitive about the time that we have to use on an engagement and that we also make sure that we make the best use of it. So, thanks again, Harsh, for being on the show. For everyone that wants to reach out to Harsh, we'll make sure that all of his information is put in the show notes and that you can see his blog out on the Cobalt blog. Again, we'll make sure that all that stuff is in the show notes and thanks again everyone for listening this week and we'll catch you on the next one.
Harsh Bothra: [29:59]
Thank you everyone.