{"id":17006013,"url":"https://github.com/aress31/google-authenticator","last_synced_at":"2025-03-22T16:30:51.843Z","repository":{"id":45647092,"uuid":"135308651","full_name":"aress31/google-authenticator","owner":"aress31","description":"Burp Suite plugin that dynamically generates Google 2FA codes for use in session handling rules (approved by PortSwigger for inclusion in their official BApp Store).","archived":false,"fork":false,"pushed_at":"2022-10-15T22:55:34.000Z","size":1963,"stargazers_count":28,"open_issues_count":5,"forks_count":10,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-07-29T20:08:00.980Z","etag":null,"topics":["burp-plugin","burpsuite","google","java","two-factor-authentication"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aress31.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":"aress31","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2018-05-29T14:30:06.000Z","updated_at":"2024-05-26T12:11:28.000Z","dependencies_parsed_at":"2023-01-20T00:57:01.647Z","dependency_job_id":null,"html_url":"https://github.com/aress31/google-authenticator","commit_stats":null,"previous_names":["aress31/googleauthenticator"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fgoogle-authenticator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fgoogle-authenticator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fgoogle-authenticator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fgoogle-authenticator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aress31","download_url":"https://codeload.github.com/aress31/google-authenticator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244986353,"owners_count":20543000,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["burp-plugin","burpsuite","google","java","two-factor-authentication"],"created_at":"2024-10-14T05:04:47.018Z","updated_at":"2025-03-22T16:30:51.308Z","avatar_url":"https://github.com/aress31.png","language":"Java","funding_links":["https://github.com/sponsors/aress31"],"categories":[],"sub_categories":[],"readme":"# google-authenticator\n\n[![Language](https://img.shields.io/badge/Lang-Java-blue.svg)](https://www.java.com)\n[![License](https://img.shields.io/badge/License-Apache%202.0-red.svg)](https://opensource.org/licenses/Apache-2.0)\n\n## A `Burp Suite` extension to apply the current Google Two-Tactor Authentication (`2FA`) code to relevant/selected requests.\n\nThis `Burp Suite` extension turns `Burp` into a `Google Authenticator` client. The current Google `Two-Factor Authentication (2FA)` code is automatically computed from a given shared secret and applied to bespoke location(s) in relevant requests in real-time.\n\nFurther information on two-factor authentication is available at the following links:\n\n- \u003chttps://en.wikipedia.org/wiki/Google_Authenticator\u003e\n- \u003chttps://tools.ietf.org/html/rfc4226\u003e\n- \u003chttps://tools.ietf.org/html/rfc6238\u003e\n\nFurther information about `Burp` session handling rules is available at the following link:\n\n- \u003chttps://portswigger.net/support/configuring-burp-suites-session-handling-rules\u003e\n\n## Graphic User Interface (`GUI`) overview\n\n![example](images/configuration-1.png)\n\n- Top panel: Secret shared key, used to generate the `Google 2FA` code using the `Time-based One-Time Password (TOTP)` algorithm specified in `RFC4226` and `RFC6238`.\n- Left panel: Regular expression for the session handling rule to match and replace with the current `Google 2FA` code.\n- Right panel: `Google 2FA` generated code in real-time.\n\n## Example\n\n### Problem\n\nWe have been commissioned to perform a web application penetration test on www.foobar.com. This web application implements a login form incorporating `Google 2FA` for an additional layer of defence (prevents automated attacks such as brute forcing attacks). The client provided us with testing credentials along with a link to set up the Google Authenticator mobile application to allow for authenticated testing.\n\nA login is performed using the following request (in this example, the `pin` `JSON` parameter is the `Google 2FA`).\n\n```\nPOST /api/login HTTP/1.1\nHost: foobar.com\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/504482 Firefox/60.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://foobar.com/login\nContent-Type: application/json;charset=utf-8\nContent-Length: 74\nConnection: close\n\n{\"email\":\"ares@foobar.com\",\"password\":\"SuperP@ssw0rd!\",\"pin\":\"504482\"}\n```\n\nFollowing the aforementioned link, we obtain the shared secret (`42TCJUDP94W27YR3`) that the `Time-based One-time Password Algorithm (TOTP)` uses to generate the `Google 2FA` codes.\n\nDuring testing, we observed that the application is being protected by a `Web Application Firewall (WAF)`, logging our test user out each time a malicious payload is detected or if too many requests are sent in a short period of time. This configuration makes it virtually impossible to take advantage of the `Burp Suite` automated scan capabilities.\n\n### Solution\n\n1. Input relevant parameter(s) into the Google Authenticator interface:\n\n   - Shared secret: `42TCJUDP94W27YR3`\n   - Regular expression: `(?\u003c![\\w\\d])\\d{6,8}(?![\\w\\d])`\n\n2. `Project options` -\u003e `Sessions` -\u003e `Session Handling Rules` -\u003e `Add` a `Session Handling Rule` -\u003e `Invoke a Burp extension` -\u003e `Google Authenticator: 2FA code applied to selected parameter`.\n\n   ![example](images/configuration-2.png)\n\n3. Configure the relevant scope for the registered session handling rule.\n\n4. Watch/monitor relevant request(s) getting updated with the valid/refreshed `Google 2FA` code generated by `Google Authenticator` using either `Project options` -\u003e `Sessions` -\u003e `Session Handling Rules` -\u003e `Open session tracer` or the `Logger` tab.\n\n   ![example](images/session-tracer.png)\n\n## Tips\n\n- Use the regex `(?\u003c![\\w\\d])\\d{6,8}(?![\\w\\d])` for optimal results as `Google 2FA` codes are made up of 6 to 8 digits according to the relevant RFCs.\n- Restrict the scope of the session handling rule down to the request(s) containing the `Google 2FA` code only.\n\n## Installation\n\n### Compilation\n\n1. Install and configure [Gradle](https://gradle.org/).\n\n2. Download this repository.\n\n   ```bash\n   git clone https://github.com/aress31/googleauthenticator\n   cd .\\googleauthenticator\\\n   ```\n\n3. Create the standalone `jar`:\n\n   ```bash\n   gradle fatJar\n   ```\n\n### Loading the extension into the `Burp Suite`\n\nIn `Burp Suite`, under the `Extender/Options` tab, click on the `Add` button and load the `googleauthenticator-all` jar file located in the `.\\build\\libs` folder.\n\nAlternatively, you can now directly install/load this extension from the [BApp Store](https://portswigger.net/bappstore/fb3685f958f8424493945c6c60c0920c).\n\n_Note: The version distributed on the `BApp Store` might be behind the version available on this repository._\n\n## Roadmap\n\n- [ ] Add additional features, maybe support for `Microsoft Authenticator`.\n- [ ] Beautify the `GUI`.\n- [ ] Implement a `JTable` to view modified requests in real-time.\n- [ ] Leverage the `IHttpListener` interface and rework the filers in order to provide users with more ways of processing request(s).\n- [ ] Source code optimisation.\n\n## Sponsor 💖\n\nIf you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next cup of coffee. ☕\n\nIt is easy, all you got to do is press the `Sponsor` button at the top of this page or alternatively [click this link](https://github.com/sponsors/aress31). 💸\n\n## Reporting Issues\n\nFound a bug? I would love to squash it! 🐛\n\nPlease report all issues on the GitHub [issues tracker](https://github.com/aress31/googleauthenticator/issues).\n\n## Contributing\n\nYou would like to contribute to better this project? 🤩\n\nPlease submit all `PRs` on the GitHub [pull requests tracker](https://github.com/aress31/googleauthenticator/pulls).\n\n## License\n\nSee [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fgoogle-authenticator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faress31%2Fgoogle-authenticator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fgoogle-authenticator/lists"}