Lab: Bypassing two-factor authentication 绕过双重身份验证
At times, the implementation of two-factor authentication is flawed to the point where it can be bypassed entirely.
有时,双因素身份验证的实施存在缺陷,以至于可以完全绕过它。
If the user is first prompted to enter a password, and then prompted to enter a verification code on a separate page, the user is effectively in a “logged in” state before they have entered the verification code. In this case, it is worth testing to see if you can directly skip to “logged-in only” pages after completing the first authentication step. Occasionally, you will find that a website doesn’t actually check whether or not you completed the second step before loading the page.
如果系统首先提示用户输入密码,然后在单独的页面上提示用户输入验证码,则用户在输入验证码之前实际上处于“已登录”状态。在这种情况下,值得测试一下,看看是否可以在完成第一个身份验证步骤后直接跳到 “logged-in only” 页面。有时,您会发现网站实际上并没有在加载页面之前检查您是否完成了第二步。
最低0.47元/天 解锁文章
扫一扫
1428
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
