Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

2FA bypass using a brute-force attack

Rajathi | Last updated: Apr 12, 2021 04:36AM UTC

Hi team, I have tried the 2FA bypass using a brute-force attack multiple times using the intruder and turbo intruder also. I am struggling to solve the lab. Please advise me of any solution for this lab. Thanks, Rajathi

Liam, PortSwigger Agent | Last updated: Apr 12, 2021 11:44AM UTC

Have you checked out this tutorial video? - https://www.youtube.com/watch?v=uJMIV8oM0u0

Rajathi | Last updated: Apr 13, 2021 03:12AM UTC

Yes watched the video, I followed the same steps but there is no output in the turbo intruder. I have tried the Burp intruder method also, it shows the status 302 and copied the response URL, and pastes it in the browser, later it shows the error message invalid CSRF token. Please provide a solution for this lab. Thanks.

Liam, PortSwigger Agent | Last updated: Apr 13, 2021 09:26AM UTC

The labs are passing in our testing. The solutions are not designed to be walk-throughs. Keep trying!

kairosdev | Last updated: Dec 01, 2021 07:43PM UTC

I'm doing "2FA broken logic" lab and I can't get a 302 response. This is my Payload Positions. POST /login2 HTTP/1.1 Host: ac391f7f1edee2a4c09434de0054002c.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 13 Origin: https://ac391f7f1edee2a4c09434de0054002c.web-security-academy.net Connection: close Referer: https://ac391f7f1edee2a4c09434de0054002c.web-security-academy.net/login2 Cookie: session=ZLrlw9crWOQIEZnPIYdKCkDtysUzHalk; verify=carlos Upgrade-Insecure-Requests: 1 mfa-code=§1234§ Any idea?

Liam, PortSwigger Agent | Last updated: Dec 02, 2021 11:50AM UTC

The labs are passing in our testing.

kairosdev | Last updated: Dec 02, 2021 08:49PM UTC