Authentication Flaws: Multi Level Login 1

A Multi Level(Factor) Login should provide a strong authentication. Please note that TAN is Transaction Authentication Number, it's onetime use code that mostly used by banks

Goal: 

Try to login with Jane's username and password(Jane/tarzan), along with used TAN code#1 15648. 

Method: 

Use Burp Suite intercept and modify request and gain access.

Step by step Guide - Stage 1 

1. Normal Login as Jane with password tarzan,


2.  when asked for TAN# enter as instructured with TAN#1

Step by step Guide - Stage 2

1. login with user/password : Jane/tarzan, once asked for Tan code, start burp suite

2. Forward the web request until you see Hidden_user line, then replace tan2 with tan1 with tan1 code.

Hidden_user=Jane&tan1=15648&Submit=Submit

 

Please publish modules in offcanvas position.