[Hack The Box] - No-Threshold web challenge.
Yet another realistic scenario showing a problem of custom realization on MFA function. But suppose you are familiar with possible scenarios at PortSwigger Academy on the “Vulnerabilities in multi-factor authentication” topic and read the given code carefully. In that case, the exploitation won’t take much time. A good exercise for web application pentesters and application security engineers.
To avoid such an issue in your application as in this task, ensure that your MFA implementation links a sign-in attempt to a session handler, and if the given session handler has a limited amount of attempts to enter correct credentials with MFA, before a temporary account lockout with the given options for waiting for timer or resetting MFA. CAPTCHA is a great addition that is welcomed as well.
Also, let’s cite the PortSwigger’s recommendation:
”Ideally, 2FA should be implemented using a dedicated device or app that generates the verification code directly. As they are purpose-built to provide security, these are typically more secure.”
Be cool, l33t, and responsible for your applications.
Thanks, Hack The Box for the materials and hosting. 
This page might be updated with a write-up in future. No guarantees ;)
References:
- PortSwigger MFA vulnerabilities materials
- PortSwigger, securing authentication
- OWASP, General cheat sheet about MFA
#htb #hackthebox #appsec #whitebox #codereview #hacking #mfa #webpentesting #challenge #cybersecurity #ethicalhacking