Burp Suite User Forum

Login to post

Authenticated Scans on Appication with 2FA login

Sunil | Last updated: Jul 15, 2020 08:31AM UTC

Hi Team, I wanted to if application have 2FA(login and OTP) how to configure Burp Enterprise for the same. I can only see authentication with simple username and password field to add in auth configuration in site. Thanks.

Uthman, PortSwigger Agent | Last updated: Jul 15, 2020 11:00AM UTC

Hi Sunil, Unfortunately, this is not currently supported in Enterprise. You will need to disable 2FA whilst testing the application, which I appreciate is not an ideal workaround. We are working on a recorded login feature that may help. This will be implemented later this year: - https://portswigger.net/blog/burp-suite-roadmap-update-july-2020 - https://portswigger.net/blog/burp-suite-roadmap-for-2020 We will update this thread when the feature is released.

Ion | Last updated: Sep 02, 2021 08:33AM UTC

Is any update about Authenticated scans with 2FA(login and OTP)?

Uthman, PortSwigger Agent | Last updated: Sep 02, 2021 08:58AM UTC

Hi Ion, We are unlikely to support 2FA logins since these are notoriously difficult for automated scanners to handle. I presume the token needs to be refreshed every X minutes so there is no accurate way for the scanner to replay with a new code received e.g. via SMS. The exception to this could be a static token i.e. it only needs to be entered once and never expires. You can either disable the 2FA whilst scanning the application or try to configure a second step (e.g. a security question) that can easily be replayed by the scanner using a recorded login sequence: - https://portswigger.net/burp/documentation/enterprise/working/sites/application-logins - https://portswigger.net/blog/recorded-logins-in-burp-scanner

mbayo | Last updated: Jan 30, 2023 05:01PM UTC

Perhaps this is an alternative issue, but is it possible to append a session header or cookie to all requests made by the scanner? That would at least make it possible to scan an app with 2fa while authenticated.

Maia, PortSwigger Agent | Last updated: Jan 30, 2023 06:08PM UTC

Hi, Yes, it is possible to add a custom header or cookie to all scanner requests. In Burp Suite Professional, this is done using session handling rules. The "Set a specific cookie or parameter value" and "Set a specific header value" rules are compatible with Burp Suite Enterprise Edition and can be exported from Burp Suite Professional into Burp Suite Enterprise Edition as a custom scan configuration. https://portswigger.net/burp/documentation/desktop/settings/sessions/session-handling-rules#set-a-specific-cookie-or-parameter-value https://portswigger.net/burp/documentation/desktop/settings/sessions/session-handling-rules#set-a-specific-header-value

Garg, | Last updated: Sep 04, 2023 05:59AM UTC

Hi, Can we record login sequence with Static MFA code and scan the application?

Maia, PortSwigger Agent | Last updated: Sep 04, 2023 10:24AM UTC

Yes, a static MFA code will work with a recorded login sequence. For codes that are not static, there is now an extension available where you can supply the seed for the one-time code, and the TOTP token will be added to outgoing requests. More details and instructions can be found in the link below: https://github.com/Hannah-PortSwigger/TOTPAuthenticate

You need to Log in to post a reply. Or register here, for free.