Added 2FA bypass via Force Browsing on Account Takeover branch

Account Takeover/README.md

@@ -27,6 +27,7 @@
     * [Backup Code Abuse](#backup-code-abuse)
     * [Clickjacking on 2FA Disabling Page](#clickjacking-on-2fa-disabling-page)
     * [Enabling 2FA doesn't expire Previously active Sessions](#enabling-2fa-doesnt-expire-previously-active-sessions)
+    * [Bypass 2FA by Force Browsing](#bypass-2fa-by-force-browsing)
     * [Bypass 2FA with null or 000000](#bypass-2fa-with-null-or-000000)
     * [Bypass 2FA with array](#bypass-2fa-with-array)
 * [References](#references)
@@ -228,6 +229,10 @@ Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
 
 If the session is already hijacked and there is a session timeout vuln
 
+### Bypass 2FA by Force Browsing
+
+If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.
+
 ### Bypass 2FA with null or 000000
 Enter the code **000000** or **null** to bypass 2FA protection.
 
@@ -262,3 +267,4 @@ Enter the code **000000** or **null** to bypass 2FA protection.
 - [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28)
 - [Hacking Grindr Accounts with Copy and Paste - Troy HUNT & Wassime BOUIMADAGHENE - 03 OCTOBER 2020](https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/)
 - [CTFd Account Takeover](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
+- [2FA simple bypass](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass)