brute forcing 2FA authentication : macros in ZAP
123 views
Skip to first unread message
Herbert Eduardo Fernandez Tamayo
Feb 28, 2022, 6:40:07 AM2/28/22
to OWASP ZAP User Group
Hey guys, is there any function like Macros in ZAP to brute forcing 2FA? The exercise has max number of attempts protection, so, I understand if I use a sequence -like a Macro- I can bypass it.
Thanks a lot
ricekot
Feb 28, 2022, 9:33:18 AM2/28/22
to OWASP ZAP User Group
I am assuming you are referring to Burp Macros. In this case, one way might be to use an HTTP Sender script along with a script variable.
For example, the following script will print to the script console output panel once every 5 requests made by ZAP (e.g. via the Fuzzer).
For example, the following script will print to the script console output panel once every 5 requests made by ZAP (e.g. via the Fuzzer).
See https://www.zaproxy.org/docs/desktop/addons/script-console/ for more information about script types and variables.
var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars");
ScriptVars.setGlobalCustomVar("fuzzCount", 0)
function sendingRequest(msg, initiator, helper) {
var count = ScriptVars.getGlobalCustomVar("fuzzCount")
if (count % 5 == 0) {
// Do something
print("count = ", count)
}
ScriptVars.setGlobalCustomVar("fuzzCount", count+1)
}
function responseReceived(msg, initiator, helper) {
// Nothing to do here
}
Reply all
Reply to author
Forward
0 new messages