Skip to content

[pull] master from swisskyrepo:master #384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 4 commits into from
Feb 2, 2026
Merged

[pull] master from swisskyrepo:master #384

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
59d03bb
Improve clarity in 2FA bypass documentation
HAK3R4LIFE Feb 1, 2026
cc6d580
docs: fix typo in README
ocnu Feb 2, 2026
019bd50
Merge pull request #819 from ocnu/patch-typo-fix
swisskyrepo Feb 2, 2026
66ef235
Merge pull request #818 from HAK3R4LIFE/master
swisskyrepo Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion API Key Leaks/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ Use [streaak/keyhacks](https://github.com/streaak/keyhacks) or read the document

## Reducing The Attack Surface

Check the existence of a private key or AWS credentials before commiting your changes in a GitHub repository.
Check the existence of a private key or AWS credentials before committing your changes in a GitHub repository.

Add these lines to your `.pre-commit-config.yaml` file.

Expand Down
14 changes: 7 additions & 7 deletions Account Takeover/mfa-bypass.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,17 +25,17 @@

### Response Manipulation

In response if `"success":false`
If response is `"success":false`
Change it to `"success":true`

### Status Code Manipulation

If Status Code is **4xx**
Try to change it to **200 OK** and see if it bypass restrictions
Try changing it to **200 OK** and see if it bypass restrictions

### 2FA Code Leakage in Response

Check the response of the 2FA Code Triggering Request to see if the code is leaked.
Check the response of the 2FA Code Triggering Request for leaked code.

### JS File Analysis

Expand All @@ -51,7 +51,7 @@ Possible to brute-force any length 2FA Code

### Missing 2FA Code Integrity Validation

Code for any user acc can be used to bypass the 2FA
Code for any user account can be used to bypass the 2FA

### CSRF on 2FA Disabling

Expand All @@ -64,19 +64,19 @@ No CSRF Protection on disabling 2FA, also there is no auth confirmation
### Backup Code Abuse

Bypassing 2FA by abusing the Backup code feature
Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
Use the above-mentioned techniques to bypass the Backup Code to remove/reset 2FA restrictions

### Clickjacking on 2FA Disabling Page

Iframing the 2FA Disabling page and social engineering victim to disable the 2FA

### Enabling 2FA doesn't expire Previously active Sessions

If the session is already hijacked and there is a session timeout vuln
If the session is already hijacked and there is a session timeout vulnerability

### Bypass 2FA by Force Browsing

If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.
If the application redirects to `/my-account` url upon login while 2FA is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.

### Bypass 2FA with null or 000000

Expand Down