Type your comment> @virtualgoth said:
Type your comment> @hackerB31 said:
Type your comment> @vrls said:
Type your comment> @menessim said:
@vrls said:
2FA is pretty obscure now… I will assume that since there is no limit, it is possible to run a brute-force… although it has a time frameDont bruteforce the 2fa.
If the 2FA mechanism is properly implemented it wouldn’t be possible, however, im getting a “constant” page on 2FA which made me believe the validity of tokens wasnt properly configured.
EDIT: nvm I just reached /a**/***p right now, not sure if this is the correct approach tho
reached the same location too, but stuck with getting ‘invalid action’ or server errors… is this a rabbit hole?
EDIT: 'doh! finding the missing param was so obvious that I ignored trying it early on. Goes to show that you should enumerate all possibilities and not assume anything (;
So you need an “action” and some parameters? I really don’t understand how to validate the format of the request is correct. Seems I can supply any value for action. What’s the best way to approach this, other than being psychic?
SAME ISSUE HERE. I fuzzed like 8K of words, plus all the ones like backup, SMS, OTP, TOTP, blah blah blah. I know I will feel stupid once I get past it, but I have searched on actions for TOTP to no avail.