2FA Bypass via response manipulation (Authentication bypass)

2FA Bypass via response manipulation (Authentication bypass)

PoC :

1 - Create an account and activate 2FA

2 - Perform a valid login using correct credentials then save the captured successful login response

3 - Logout from the account and delete browsing cache or open another browser to try

4 - Open the new browser and attempt to login with incorrect credentials

5 - Intercept the failed login response

6 - Replace the failed login response with the previously captured successful login response

7 - forward the modified response to browser

8 - Observe that the application behaves as if the user is authenticated