Burp Suite User Forum

Login to post

How to integrate Google Authenticator Burp Extender with Session Macro

aej | Last updated: Sep 14, 2020 10:16AM UTC

My website have Two Factor Authentication. On successful User/Password combination, the site redirects to input Google Authenticator code from user. I am failing to create a successful macro, as the Google Authenticator code generates different code every time. I tried using Google Authenticator Extender but failed. This extender seems to be successful only if website use only Google Authenticator code for login and not Username/Password. Also, Macro --> Configure Item --> Parameter Handing --> has only 2 options to derive a value. One is from previous response and other preset value. If there was an option to derive the value from an extender, this would have worked. Is there any way to automate this scenario?

Uthman, PortSwigger Agent | Last updated: Sep 14, 2020 11:25AM UTC

The extension should work for sites that use a TOTP using Google Authenticator. There are more detailed instructions on the GitHub repo: - https://github.com/portswigger/google-authenticator You don't need to derive a value from a previous response or set a preset value. You need to invoke the extension (Project options -> Sessions -> Add a Session Handling Rule -> Invoke a Burp extension -> Google Authenticator: 2FA code applied to selected parameter). If you think there is an issue with the extension, you will need to raise this directly with the developer. We do not manage troubleshooting/bugs for third-party extensions: - https://github.com/aress31/googleauthenticator

You need to Log in to post a reply. Or register here, for free.