In this video, we're going to talk about authentication bypass. Authentication bypasses happen when there is some configuration or a logical flaw in your code that allows for an attacker to simply bypass your authentication methods. Historically, this has been some big players in the industry and it is an easy mistake to make, and that's why so many people make those kinds of mistakes. Typically, these mistakes are rooted in writing your own authentication, your own authorization functionality. Much like crypto authentication and authorization functionality is something that is best inherited from another source that focuses on authentication and authorization rather than writing our own from scratch, because there is many pitfalls in that. So this is an interesting case. So this lesson actually gives you an example of a PayPal two-factor authentication bypass. Essentially, the bypass works as such you go on to fill out your security questions. When you go to your security questions, you simply remove the security questions that are being sent to the endpoint. By doing so, you full the back end to essentially bypass the logic that would verify your security questions. Now, that's a pretty big mistakes you make especially for someone like PayPal. This example is not as severe. So we'll poke through it and see what the traffic looks like, and then we'll end the video and let you try it for yourself and we'll come back and solve it in another video. All right. So I am using my Firefox instance, and I do have my trusty burp going. Like I said, it's pretty noisy and there's a lot of traffic in it. So I'll go ahead and submit my favorite teacher. I'm just going to say testing or test1 and test2, for what street I grew up on. I'm going to submit that. Looking at our burp, the last post them we made, we can see that security question test1 and security question test2. So the question becomes, how can I go about resetting my password without removing these? Because the test tells us it's not as simple as above method, is just a variation of it. This is something that's pretty common and it happens all the time. So we can just right-click on this body and send it to our repeater, and the question becomes, what can you do to modify this so that it passes our vulnerability? Go and give it a try, and we'll come back and discuss that in another video.