Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp Intruder Payloads into Makro

Sharkeon | Last updated: Apr 26, 2022 03:35PM UTC

Hello There, I am currently working on this lab: 2FA bypass using a brute-force attack. I think i have the solution but the problem is i can't get it running. The main problem is that i can't figure out how to pass a payload from an intruder request to the after running session-makro. As learned in the previous Labs, I am able to build a makro with the request-chain to first get the login page, login, submit the 2FA code and dynamically get and set the CSRF-Tokens from previous requests. To invoke the makro i just make a request on the my-account page as in previous Labs before. But how can i get a generated payload from the intruder into the makro to brute force the 2FA code. I wasn't able to find a how to online and don't want to spoil me via the given solution which probably differs anyways. And yes, via research on how to do this i stumbled upon a post in this forum where the support already stated that i could use the same 2FA code because it doesn't get regenerated. But for pentests it would be good to know how it would be possible to do this with dynamically generated payloads instead of a static one. Thanks in advance.

Ben, PortSwigger Agent | Last updated: Apr 27, 2022 10:28AM UTC

Hi, The objective of this particular lab is to login as the Carlos user. The scenario is that, whilst you have the username/password combination, you do not know the corresponding 2FA verification code. The issue is that if you login using the credentials and then supply an incorrect 2FA code you are subsequently logged out and have to begin the process from the start. On the face of it, this would seem to prevent the brute forcing of the verification code. You can, however, get round this by using Burp's session handling rules. The macro should be being used to handle the sequence of requests that deal with supplying the credentials and the Intruder attack should be being used to carry out the brute forcing of the 2FA verification code. In effect, the macro is being run before each Intruder request to ensure that you are logged back in with the credentials before the Intruder side of things then handles the sending of the request to attempt to brute force the 2FA verification code. It sounds like you are possibly trying to differ from this approach and attempting to perform the brute forcing within the macro itself?

Gonçalo | Last updated: Apr 28, 2023 10:32AM UTC