https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass
This lab’s two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user’s 2FA verification code. To solve the lab, access Carlos’s account page.
- Your credentials:
wiener:peter - Victim’s credentials
carlos:montoya
Lab: 2FA simple bypass
- First login with your credentials.
- Then click
Email Clientand put the OTP. - Now logout and try to login with Victim’s credentials.
- Now replace
/login2with/my-accountand solve the lab.