Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/aress31/google-authenticator

Burp Suite plugin that dynamically generates Google 2FA codes for use in session handling rules (approved by PortSwigger for inclusion in their official BApp Store).
https://github.com/aress31/google-authenticator

burp-plugin burpsuite google java two-factor-authentication

Last synced: about 1 year ago
JSON representation

Burp Suite plugin that dynamically generates Google 2FA codes for use in session handling rules (approved by PortSwigger for inclusion in their official BApp Store).

Awesome Lists containing this project

README 

          
# google-authenticator



[![Language](https://img.shields.io/badge/Lang-Java-blue.svg)](https://www.java.com)

[![License](https://img.shields.io/badge/License-Apache%202.0-red.svg)](https://opensource.org/licenses/Apache-2.0)



## A `Burp Suite` extension to apply the current Google Two-Tactor Authentication (`2FA`) code to relevant/selected requests.



This `Burp Suite` extension turns `Burp` into a `Google Authenticator` client. The current Google `Two-Factor Authentication (2FA)` code is automatically computed from a given shared secret and applied to bespoke location(s) in relevant requests in real-time.



Further information on two-factor authentication is available at the following links:



- 

- 

- 



Further information about `Burp` session handling rules is available at the following link:



- 



## Graphic User Interface (`GUI`) overview



![example](images/configuration-1.png)



- Top panel: Secret shared key, used to generate the `Google 2FA` code using the `Time-based One-Time Password (TOTP)` algorithm specified in `RFC4226` and `RFC6238`.

- Left panel: Regular expression for the session handling rule to match and replace with the current `Google 2FA` code.

- Right panel: `Google 2FA` generated code in real-time.



## Example



### Problem



We have been commissioned to perform a web application penetration test on www.foobar.com. This web application implements a login form incorporating `Google 2FA` for an additional layer of defence (prevents automated attacks such as brute forcing attacks). The client provided us with testing credentials along with a link to set up the Google Authenticator mobile application to allow for authenticated testing.



A login is performed using the following request (in this example, the `pin` `JSON` parameter is the `Google 2FA`).



```

POST /api/login HTTP/1.1

Host: foobar.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/504482 Firefox/60.0

Accept: application/json, text/plain, */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://foobar.com/login

Content-Type: application/json;charset=utf-8

Content-Length: 74

Connection: close



{"email":"ares@foobar.com","password":"SuperP@ssw0rd!","pin":"504482"}

```



Following the aforementioned link, we obtain the shared secret (`42TCJUDP94W27YR3`) that the `Time-based One-time Password Algorithm (TOTP)` uses to generate the `Google 2FA` codes.



During testing, we observed that the application is being protected by a `Web Application Firewall (WAF)`, logging our test user out each time a malicious payload is detected or if too many requests are sent in a short period of time. This configuration makes it virtually impossible to take advantage of the `Burp Suite` automated scan capabilities.



### Solution



1. Input relevant parameter(s) into the Google Authenticator interface:



   - Shared secret: `42TCJUDP94W27YR3`

   - Regular expression: `(? `Sessions` -> `Session Handling Rules` -> `Add` a `Session Handling Rule` -> `Invoke a Burp extension` -> `Google Authenticator: 2FA code applied to selected parameter`.



   ![example](images/configuration-2.png)



3. Configure the relevant scope for the registered session handling rule.



4. Watch/monitor relevant request(s) getting updated with the valid/refreshed `Google 2FA` code generated by `Google Authenticator` using either `Project options` -> `Sessions` -> `Session Handling Rules` -> `Open session tracer` or the `Logger` tab.



   ![example](images/session-tracer.png)



## Tips



- Use the regex `(?