From 59d03bb7f2a4809a39402b78b9aca10c144114a4 Mon Sep 17 00:00:00 2001 From: SCPlayz7000 <98760370+HAK3R4LIFE@users.noreply.github.com> Date: Sun, 1 Feb 2026 14:32:56 -0600 Subject: [PATCH 1/2] Improve clarity in 2FA bypass documentation Corrected grammar and phrasing in the 2FA bypass documentation for clarity. --- Account Takeover/mfa-bypass.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Account Takeover/mfa-bypass.md b/Account Takeover/mfa-bypass.md index 27cc2d1757..fb6fa97354 100644 --- a/Account Takeover/mfa-bypass.md +++ b/Account Takeover/mfa-bypass.md @@ -25,17 +25,17 @@ ### Response Manipulation -In response if `"success":false` +If response is `"success":false` Change it to `"success":true` ### Status Code Manipulation If Status Code is **4xx** -Try to change it to **200 OK** and see if it bypass restrictions +Try changing it to **200 OK** and see if it bypass restrictions ### 2FA Code Leakage in Response -Check the response of the 2FA Code Triggering Request to see if the code is leaked. +Check the response of the 2FA Code Triggering Request for leaked code. ### JS File Analysis @@ -51,7 +51,7 @@ Possible to brute-force any length 2FA Code ### Missing 2FA Code Integrity Validation -Code for any user acc can be used to bypass the 2FA +Code for any user account can be used to bypass the 2FA ### CSRF on 2FA Disabling @@ -64,7 +64,7 @@ No CSRF Protection on disabling 2FA, also there is no auth confirmation ### Backup Code Abuse Bypassing 2FA by abusing the Backup code feature -Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions +Use the above-mentioned techniques to bypass the Backup Code to remove/reset 2FA restrictions ### Clickjacking on 2FA Disabling Page @@ -72,11 +72,11 @@ Iframing the 2FA Disabling page and social engineering victim to disable the 2FA ### Enabling 2FA doesn't expire Previously active Sessions -If the session is already hijacked and there is a session timeout vuln +If the session is already hijacked and there is a session timeout vulnerability ### Bypass 2FA by Force Browsing -If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification. +If the application redirects to `/my-account` url upon login while 2FA is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification. ### Bypass 2FA with null or 000000 From cc6d580ceff62a517d1446620e7e6971885b58ec Mon Sep 17 00:00:00 2001 From: ocnu <76622002+ocnu@users.noreply.github.com> Date: Sun, 1 Feb 2026 23:51:39 -0600 Subject: [PATCH 2/2] docs: fix typo in README Corrected the spelling of commiting to committing for better readability. --- API Key Leaks/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index 71101bd827..b14e56372c 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -88,7 +88,7 @@ Use [streaak/keyhacks](https://github.com/streaak/keyhacks) or read the document ## Reducing The Attack Surface -Check the existence of a private key or AWS credentials before commiting your changes in a GitHub repository. +Check the existence of a private key or AWS credentials before committing your changes in a GitHub repository. Add these lines to your `.pre-commit-config.yaml` file.