Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

I have a website that uses a kind of fake MFA code. I think you might have a method of handling this.

Glenn | Last updated: Feb 12, 2021 03:31PM UTC

I am currently using Burp Suite Enterprise 2020.11-5632 (I will be upgrading soon). I have an application that uses MFA to login. The thing is with this application is that due to some people who login to the application we cannot use standard MFA in all cases. Which might be good in this case, since tools like yours do not yet support MFA. Basically, when the request for MFA code is shown, it is really just another password that the user enters into a form page. There is no getting an MFA code from a company like Ping, or Authy or Google Authenticator. It is a constant six digit number for each user. Sort of like a second password. Does Burp Suite Enterprise have a method of entering this constant text into a webpage when the page is shown? It is only show on a second page after the user has entered their username and password. They then get a page with only a entry box and text about "enter your code". Thanks, Glenn

Liam, PortSwigger Agent | Last updated: Feb 15, 2021 10:48AM UTC

Hi Glenn. How is the number determined? Is it the same each time? Have you tried using our recorded login function?

Glenn | Last updated: Feb 17, 2021 03:43PM UTC

It is the same each time and no I have not tried to record a login. Would that do?

Liam, PortSwigger Agent | Last updated: Feb 18, 2021 09:12AM UTC

It sounds like it could work for your application. It might be worth testing the feature on Burp Suite Pro first. Burp Pro has a test replay feature: - https://portswigger.net/burp/documentation/desktop/scanning/recorded-logins Do you have a copy of Burp Pro? If not, we can provide a trial license.

Glenn | Last updated: Feb 18, 2021 01:49PM UTC

No I do not have a Burp Suite Pro License, anymore. I it would get me through this, I would like the trial. Thanks

Liam, PortSwigger Agent | Last updated: Feb 18, 2021 02:43PM UTC

I've added a license to your account. Please let us know if you have any issues testing the recorded login.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.