Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

X-Forwarded-For, Macro, Turbo Intruder

Moses | Last updated: Feb 05, 2022 07:43AM UTC

Hello,first of all wanna thank Portswigger for the learning opportunity they did present to us for learning about web security. Personally have really gained confidence, knowledge and skills through your Web Security Academy. I totally appreciate you for that. On (Lab: Username enumeration via response timing) tutorial I noted the use of X-forwarded-for to bypass IP block through header injection. I will quote the statement, "On the Payloads tab, select payload set 1. Select the Numbers payload type. Enter the range 1 - 100 and set the step to 1. Set the max fraction digits to 0. This will be used to spoof your IP." Basically from my own understanding, we will increment the payload set 1 (X-forwarded-for) with numerical data, meaning X-forwarded-for:1,X-forwarded-for:2.........100. A typical IP address lets say a public IP will be 18.200.131.119, a random IP :) the server receiving my request will notice my IP is X-forwarded-for:2 instead of X-forwarded-for:18.200.131.119 which conforms to the Classless inter-domain routing (CIDR). How is it possible for the server to process X-forwarded-for:1-100(the range we used in the payload set 1)? In the tab Vulnerabilities in multi-factor authentication, in (Lab: 2FA bypass using a brute-force attack) we used Macros, Under Select macro>> click Add to open the Macro Recorder. Select the following 3 requests: GET /login POST /login GET /login2 Then click OK. The Macro Editor dialog opens. The first GET /login request was presented to us immediately we accessed the login page, the POST, we sent our credentials to the server, the second GET request was for the MFA. We used Macros, a macro is used to automate a process/es right? If we submit two wrong MFA keys the session logs us out and ask us to login in again. Lets say after the POST /login request we were given a 9794 key, we sent wrong two wrong keys basically we will be logged out. Once we login afresh we will be presented with a different set of MFA example 8467, if we try to brute force this logically on first two attempts we are logged out. How does Macro prevent us from being logged out after two attempts and presented with a new set of MFA considering we will attempt to brute force the key and send multiple guesses of the MFA? I like turbo intruder, dude that extender is pretty powerful. Example: Okay, basically I use it for brute forcing:) does it have a Grep Match option? Thank you.

Hannah, PortSwigger Agent | Last updated: Feb 10, 2022 02:07PM UTC

Lab: Username enumeration via response timing - How is it possible for the server to process X-forwarded-for:1-100(the range we used in the payload set 1)?
In this example case, the server will accept any input for the "X-Forwarded-For" header. It is expected that the user would spoof an IP in the normal manner, by using a full IP address and replacing the final octet with a different value, but in this scenario it is not necessary.

Lab: 2FA bypass using a brute-force attack - How does Macro prevent us from being logged out after two attempts and presented with a new set of MFA considering we will attempt to brute force the key and send multiple guesses of the MFA?
In this case, as you haven't ever sent the second incorrect 4 digit code (triggering a logout and code reset), the 2FA code never gets reset, so you are able to brute force this login mechanism.

Turbo Intruder - Does it have a Grep Match option?
Yes it does. You can find out more information in the documentation article under the heading "Filtering boring results". You can also find out more here.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.