Authentication Flaws: Multi Level Login 2

A Multi Level(Factor) Login should provide a strong authentication. Please note that TAN is Transaction Authentication Number, it's onetime use code that mostly used by banks

Goal: 

Break into another user Jane's account, you only know Jane's username, you also have your own login(Joe/banana) to site. 

Method: 

Use Burp Suite intercept and modify request and gain access.

Step by step Guide

1. Login with user/password : Joe/banana, once asked for Tan code, start burp suite

2. Forward the web request until you see:

Hidden_user=Joe&tan2=18794&Submit=Submit


3. Now modify the request and replace Joe with Jane. 

4. Stop intercept, now you have access to jane's account 

 

Please publish modules in offcanvas position.