Burp Suite User Forum

Login to post

Lab: 2FA broken logic

tim | Last updated: Sep 04, 2020 08:43PM UTC

I was struggling with this lab so I decided to have a look at the solution. I see it mentions in the first step: "With Burp running, log in to your own account and investigate the 2FA verification process. Notice that in the POST /login2 request, the verify parameter is used to determine which user's account is being accessed". I've downloaded the Burpe Suite community edition but I'm struggling to understand how to use it to help with the labs. Would appreciate some help, Thanks

Ben, PortSwigger Agent | Last updated: Sep 07, 2020 10:38AM UTC

Hi, With Burp running, and configured to work in conjunction with your browser, you will be able to see the requests and responses that are being sent to and from the destination web server by the web application. This should provide you with additional information about how the web application is working "behind the scenes". Are you having issues with setting up Burp to work with your browser or are you having issues interpreting the information that you are receiving from Burp?

Peter | Last updated: Oct 24, 2020 04:25PM UTC

the community version needs hours to brute force these 4 digits, so you'd better forget it.

Ben, PortSwigger Agent | Last updated: Oct 26, 2020 08:26AM UTC

Hi Peter, We are aware of this limitation so we changed this lab so that the solution should always appear in the lower range of possible numbers to make things easier for those people using the Community edition.

You need to Log in to post a reply. Or register here, for free.