Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Active scanning the application having OTP as 2FA

ARPIT | Last updated: Feb 21, 2023 02:42PM UTC

Hi Team, Is there any way where in we can scan an application which uses OTP as 2FA? The Mobile device we can use the hardware or a simulator as well. If not already available as of now in Burp, can you please guide what other methods can be combined with Burp Suite, to get help in active scanning. Kind Regards, Arpit

Hannah, PortSwigger Agent | Last updated: Feb 22, 2023 09:26AM UTC

Hi Arpit Thank you for your message. Are you using Burp Suite Enterprise Edition or Burp Suite Professional?

ARPIT | Last updated: Feb 22, 2023 05:44PM UTC

I am using Burp Suite Professional.

Hannah, PortSwigger Agent | Last updated: Feb 23, 2023 09:42AM UTC

We don't have any native functionality for this. However, have you had a look at the BApp Store extension, "Google Authenticator"? If your 2FA is using TOTP, then this should be of use.

ARPIT | Last updated: Feb 24, 2023 10:01AM UTC

We are not using TOTP.

Hannah, PortSwigger Agent | Last updated: Feb 24, 2023 10:54AM UTC

Hi Could you tell me the type of 2FA you are using?

ARPIT | Last updated: Feb 24, 2023 12:26PM UTC

We will be using credentials followed by event based OTP.

ARPIT | Last updated: Feb 28, 2023 08:46AM UTC

Anything where you can help us on event based OTP & scanning?

Hannah, PortSwigger Agent | Last updated: Feb 28, 2023 10:54AM UTC

As mentioned before, we don't have any native functionality for this. However, I found the following library that, given the secret key and the counter value, could help you modify the Google Authenticator extension (https://github.com/aress31/google-authenticator) for use with event-based OTP/HOTP: https://github.com/jchambers/java-otp

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.