A deliberately vulnerable Two-Factor Authentication (2FA) training lab built with Node.js and Express. This lab helps security researchers, penetration testers, and bug bounty hunters practice 2FA bypass techniques and authentication vulnerabilities.
The application intentionally includes multiple insecure implementations so they can be discovered and exploited during testing.
This project is intentionally vulnerable and created only for educational purposes. Do not deploy this application on the internet or production environments.
Use it only in a local testing environment.
This lab contains multiple common authentication and business-logic vulnerabilities:
- Direct 2FA bypass
- Response manipulation
- Status code manipulation
- Referrer check bypass
- Client-side OTP validation flaw
- IP header bypass (
X-Forwarded-For) - Session permission issues
- OTP reuse
- OTP sharing between accounts
- OTP leakage in response
- OTP brute force (no rate limiting)
- CSRF to disable 2FA
- Arbitrary OTP input bypass
- Node.js
- npm
- Web browser
- Burp Suite (recommended for testing)
Clone or download the project.
git clone https://github.com/strylee/vulnerable-2fa-lab.git
cd vulnerable-2fa-labInstall dependencies:
npm install express express-session body-parserStart the server:
node app.jsYou should see:
2FA Lab running at http://localhost:3000
Open in browser:
http://localhost:3000
Admin user:
Username: admin
Password: admin123
Victim user:
Username: victim
Password: victim123
Login → OTP Verification → Dashboard
Users must normally complete OTP verification before accessing the dashboard.
However, the application contains multiple flaws allowing bypass of this protection.
- Login using valid credentials.
- Do not enter the OTP.
- Navigate directly to:
http://localhost:3000/dashboard
If successful, the dashboard loads without completing OTP verification.
Using Burp Suite Proxy:
Intercept:
POST /verify-otp
Send incorrect OTP:
otp=111111
Modify the server response before forwarding.
Example change:
OTP incorrect → OTP correct
Intercept response:
HTTP/1.1 401 Unauthorized
Change to:
HTTP/1.1 200 OK
If the client trusts only HTTP status codes, authentication may be bypassed.
Endpoint:
/secure
Send request with header:
Referer: http://localhost:3000/otp
This may trick the application into thinking OTP was completed.
Open browser console and inspect JavaScript validation functions such as:
checkOTP()
Client-side checks can be bypassed or modified.
Endpoint:
/ip-protected
Modify request header:
X-Forwarded-For: 127.0.0.1
Some applications trust internal IP addresses.
Login with two accounts in different browsers.
Reuse session cookies between users to test whether session permissions are correctly isolated.
Use the same OTP multiple times.
If OTP is not invalidated after use, it can be replayed.
Attempt to use an OTP generated for one user to authenticate another account.
Observe login response for exposed OTP values:
Debug OTP: 123456
Sensitive information should never be exposed to users.
OTP range:
000000 – 999999
Send requests to:
POST /verify-otp
Use Burp Intruder to automate attempts.
If no rate limiting exists, OTP can be brute-forced.
Endpoint:
POST /disable-2fa
If no CSRF protection exists, an attacker can disable 2FA through a malicious website.
Test invalid inputs such as:
0
null
AAAAAA
000000
Improper validation may allow bypass.
/verify-otp
/dashboard
/secure
/ip-protected
/disable-2fa
/logout
- Burp Suite
- OWASP ZAP
- Browser Developer Tools
This lab helps practice:
- Authentication testing
- Session management flaws
- Business logic vulnerabilities
- 2FA bypass techniques
- Bug bounty methodologies
Created for security training and bug bounty practice.
Feel free to improve the lab by adding:
- API authentication vulnerabilities
- JWT attacks
- Password reset flaws
- OAuth bypass
- IDOR vulnerabilities