WalkThrough
A small accounting firm rolled out two-factor auth for their client portal late last year. The login form prompts for a code; whether the rest of the app actually waits for it is another question.
The Scenario
Hallmark Books has been doing the books for small Asheville
businesses since 2007. Cyrus added "the 2FA thing" himself last
spring after a phishing scare; he was very proud of the verification
page. The clients' table, meanwhile, has been there since 2009 and
nobody's looked at it since.
Challenge Intel
Synopsis
Some pages behind login don't actually verify that the second factor completed. Register an account, submit the password step, and look at what's reachable without ever entering the code.
What It Is
Hallmark Books' portal is a small Flask app over SQLite — a public marketing site, an authenticated dashboard, a client roster, and an invoice list. Two-factor auth was bolted on after the fact and the bolt didn't catch every surface. The player works through the standard product UX — register, sign in, get prompted for a code — and then has to notice which other routes happily render without finishing the second step. The flag is embedded in a client engagement record that staff use as a scratchpad.
Who It's For
Junior testers learning that 'the second factor is checked somewhere' is not the same as 'the second factor is enforced on every authenticated route'.
Skills You'll Practice
- Identifying authentication state separate from session state
- Probing post-login routes directly without completing all factors
- Recognising client-side flow assumptions in server-side code
- Reading templates for product-data leaks
What You'll Gain
- Concrete sense of how MFA gating fails in real codebases
- Practice with the simplest, highest-impact MFA bug class
Ready to hack WalkThrough?
Upgrade to Pro to unlock this challenge and the full library.