Burp Suite User Forum

Create new post

Authenticated Scans on Appication with 2FA login

Sunil | Last updated: Jul 15, 2020 08:31AM UTC

Hi Team, I wanted to if application have 2FA(login and OTP) how to configure Burp Enterprise for the same. I can only see authentication with simple username and password field to add in auth configuration in site. Thanks.

Uthman, PortSwigger Agent | Last updated: Jul 15, 2020 11:00AM UTC

Hi Sunil, Unfortunately, this is not currently supported in Enterprise. You will need to disable 2FA whilst testing the application, which I appreciate is not an ideal workaround. We are working on a recorded login feature that may help. This will be implemented later this year: - https://portswigger.net/blog/burp-suite-roadmap-update-july-2020 - https://portswigger.net/blog/burp-suite-roadmap-for-2020 We will update this thread when the feature is released.

Ion | Last updated: Sep 02, 2021 08:33AM UTC

Is any update about Authenticated scans with 2FA(login and OTP)?

Uthman, PortSwigger Agent | Last updated: Sep 02, 2021 08:58AM UTC

Hi Ion, We are unlikely to support 2FA logins since these are notoriously difficult for automated scanners to handle. I presume the token needs to be refreshed every X minutes so there is no accurate way for the scanner to replay with a new code received e.g. via SMS. The exception to this could be a static token i.e. it only needs to be entered once and never expires. You can either disable the 2FA whilst scanning the application or try to configure a second step (e.g. a security question) that can easily be replayed by the scanner using a recorded login sequence: - https://portswigger.net/burp/documentation/enterprise/working/sites/application-logins - https://portswigger.net/blog/recorded-logins-in-burp-scanner

mbayo | Last updated: Jan 30, 2023 05:01PM UTC

Perhaps this is an alternative issue, but is it possible to append a session header or cookie to all requests made by the scanner? That would at least make it possible to scan an app with 2fa while authenticated.

Maia, PortSwigger Agent | Last updated: Jan 30, 2023 06:08PM UTC

Hi, Yes, it is possible to add a custom header or cookie to all scanner requests. In Burp Suite Professional, this is done using session handling rules. The "Set a specific cookie or parameter value" and "Set a specific header value" rules are compatible with Burp Suite Enterprise Edition and can be exported from Burp Suite Professional into Burp Suite Enterprise Edition as a custom scan configuration. https://portswigger.net/burp/documentation/desktop/settings/sessions/session-handling-rules#set-a-specific-cookie-or-parameter-value https://portswigger.net/burp/documentation/desktop/settings/sessions/session-handling-rules#set-a-specific-header-value

Garg, | Last updated: Sep 04, 2023 05:59AM UTC

Hi, Can we record login sequence with Static MFA code and scan the application?

Maia, PortSwigger Agent | Last updated: Sep 04, 2023 10:24AM UTC

Yes, a static MFA code will work with a recorded login sequence. For codes that are not static, there is now an extension available where you can supply the seed for the one-time code, and the TOTP token will be added to outgoing requests. More details and instructions can be found in the link below: https://github.com/Hannah-PortSwigger/TOTPAuthenticate

cruser | Last updated: Feb 26, 2024 03:17PM UTC

I have few queries related to configuring 2FA scan using a "burp suite enterprise". 1. Does TOTPAuthenticate support microsoft authenticator? 2. Does TOTPAuthenticate support dynamic code generated to input on the mobile? If not, what will be the alternative to perform scan on 2FA enabled apps using "burp suite enterprise"

Josh, PortSwigger Agent | Last updated: Feb 27, 2024 09:17AM UTC

It depends on what you're using Microsoft Authenticator for. If Microsoft Authenticator generates the TOTP codes, then yes, TOTPAuthenticate will support it as with any other method of generating those codes, as long as you put the appropriate token seed in the configuration. If you're using Microsoft Authenticator for 2FA via push notifications, which the user has to approve, then this wouldn't work, as Burp Enterprise is for automated scanning, and this would be a significant manual step.

TOTPAuthenticate wouldn't support inputting a code into the device either, as this would again be a significant manual step that doesn't fit with the paradigm of automated scans.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.