Burp Suite User Forum

Create new post

Burp 2FA integration - Disable human intervention during 2FA process

Tal | Last updated: Dec 29, 2016 09:49AM UTC

Hi, In today's best practice, medium risk and above applications implement some form of 2FA solution with sensitive functionality like authentication , forgot password, enabling transaction, account activation etc. Challenge: If the application implements 2FA, then the user that operates Burp suite must intervene in the process of the 2FA when the session becomes invalid. Solution: Burp needs a mobile application that can communicate with burp suite instance that supports few common mobile 2FA solutions like SMS, soft-tokens etc. Best regards, Tal

PortSwigger Agent | Last updated: Jan 03, 2017 10:21AM UTC

The current solution in this situation is to create a session handling rule that detects when a session is invalid, and prompts the user for in-browser session recovery. This will let the user carry out whatever actions are necessary to re-establish a valid session.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.