Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Automatic scan with 2fa

Alberto | Last updated: Jul 05, 2021 08:52AM UTC

Hi, I would like to do an automatic scan using burp suite Pro. Online I found some guide to do that but when I encounter a 2fa everything become harder. I tried to use the cookie jar to "bypass" the authentication but it didn't worked. Probably I'm doing something wrong, but I would like to know if the cookie jar is the right way to "solve" this problem, or If it's just not possible. Do you have any advice? Ty, Alberto

Michelle, PortSwigger Agent | Last updated: Jul 05, 2021 02:43PM UTC

Thanks for your message. Can you tell us more about the authentication process being used, please? Does the 2fa use a code that changes every time it is used?

Alberto | Last updated: Jul 06, 2021 06:41AM UTC

Yes, the authentication use a 2fa code that change every time and It's received by email. That's why I thought there was no other solution then to use cookies to avoid the authentication process.

Michelle, PortSwigger Agent | Last updated: Jul 06, 2021 08:17AM UTC

Thanks for the update. If the 2fa code is changing each time and is sent by email then there will not be a way to pick up the code for use by an automatic scan. Whether there is a way to bypass this will depend on exactly how the site detects authenticated users. If it looks for a certain cookie being present, you may be able to use the session handling rules to set a cookie to be used with the crawl and audit: https://portswigger.net/support/manually-setting-a-cookie-for-burp-suites-crawl-and-audit Please let us know if you have any questions.

Alberto | Last updated: Jul 06, 2021 09:58AM UTC

I imagined that was the only solution. Thanks.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.