Burp Suite plugin that dynamically generates Google 2FA codes for use in session handling rules (approved by PortSwigger for inclusion in their official BApp Store).
APACHE-2.0 License
Burp Suite
extension to apply the current Google Two-Tactor Authentication (2FA
) code to relevant/selected requests.This Burp Suite
extension turns Burp
into a Google Authenticator
client. The current Google Two-Factor Authentication (2FA)
code is automatically computed from a given shared secret and applied to bespoke location(s) in relevant requests in real-time.
Further information on two-factor authentication is available at the following links:
Further information about Burp
session handling rules is available at the following link:
GUI
) overviewGoogle 2FA
code using the Time-based One-Time Password (TOTP)
algorithm specified in RFC4226
and RFC6238
.Google 2FA
code.Google 2FA
generated code in real-time.We have been commissioned to perform a web application penetration test on www.foobar.com. This web application implements a login form incorporating Google 2FA
for an additional layer of defence (prevents automated attacks such as brute forcing attacks). The client provided us with testing credentials along with a link to set up the Google Authenticator mobile application to allow for authenticated testing.
A login is performed using the following request (in this example, the pin
JSON
parameter is the Google 2FA
).
POST /api/login HTTP/1.1
Host: foobar.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/504482 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://foobar.com/login
Content-Type: application/json;charset=utf-8
Content-Length: 74
Connection: close
{"email":"[email protected]","password":"SuperP@ssw0rd!","pin":"504482"}
Following the aforementioned link, we obtain the shared secret (42TCJUDP94W27YR3
) that the Time-based One-time Password Algorithm (TOTP)
uses to generate the Google 2FA
codes.
During testing, we observed that the application is being protected by a Web Application Firewall (WAF)
, logging our test user out each time a malicious payload is detected or if too many requests are sent in a short period of time. This configuration makes it virtually impossible to take advantage of the Burp Suite
automated scan capabilities.
Input relevant parameter(s) into the Google Authenticator interface:
42TCJUDP94W27YR3
(?<![\w\d])\d{6,8}(?![\w\d])
Project options
-> Sessions
-> Session Handling Rules
-> Add
a Session Handling Rule
-> Invoke a Burp extension
-> Google Authenticator: 2FA code applied to selected parameter
.
Configure the relevant scope for the registered session handling rule.
Watch/monitor relevant request(s) getting updated with the valid/refreshed Google 2FA
code generated by Google Authenticator
using either Project options
-> Sessions
-> Session Handling Rules
-> Open session tracer
or the Logger
tab.
(?<![\w\d])\d{6,8}(?![\w\d])
for optimal results as Google 2FA
codes are made up of 6 to 8 digits according to the relevant RFCs.Google 2FA
code only.Install and configure Gradle.
Download this repository.
git clone https://github.com/aress31/googleauthenticator
cd .\googleauthenticator\
Create the standalone jar
:
gradle fatJar
Burp Suite
In Burp Suite
, under the Extender/Options
tab, click on the Add
button and load the googleauthenticator-all
jar file located in the .\build\libs
folder.
Alternatively, you can now directly install/load this extension from the BApp Store.
Note: The version distributed on the BApp Store
might be behind the version available on this repository.
Microsoft Authenticator
.GUI
.JTable
to view modified requests in real-time.IHttpListener
interface and rework the filers in order to provide users with more ways of processing request(s).If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next cup of coffee. ☕
It is easy, all you got to do is press the Sponsor
button at the top of this page or alternatively click this link. 💸
Found a bug? I would love to squash it! 🐛
Please report all issues on the GitHub issues tracker.
You would like to contribute to better this project? 🤩
Please submit all PRs
on the GitHub pull requests tracker.
See LICENSE.