How to stop a webpage timing out when bruteforcing with burp?

So I was trying to bruteforce a 2FA code for the portswigger business logic flaw lab (link at the end) and at one point all the responses were saying that the page timed out. Also does burp stop when kali auto-locks? Because I left it for 7 hours and it only did about 500 options which I could do in an hour when I wasn’t afk.

Link:

Bruteforcing can’t be a technique that portswigger lab provides. Even if it so, it wouldn’t take that much time.
You might did something wrong.

Type your comment> @gunroot said:

Bruteforcing can’t be a technique that portswigger lab provides. Even if it so, it wouldn’t take that much time.
You might did something wrong.

Using burp intruder I meant, to change the 2FA code until it is valid. I have 9999 different options because it is a code

I think something is going wrong here. It shouldn’t take 9999 attempts to brute force it and although Burp Intruder is slow (especially if you have the free product), it shouldn’t take 8 hours.

If the responses are timing out, then the server isn’t responding. Thats a server problem (maybe the lab has crashed) rather than something at your end.

Type your comment> @TazWake said:

I think something is going wrong here. It shouldn’t take 9999 attempts to brute force it and although Burp Intruder is slow (especially if you have the free product), it shouldn’t take 8 hours.

If the responses are timing out, then the server isn’t responding. Thats a server problem (maybe the lab has crashed) rather than something at your end.

So while I was doing another lab I found out that you don’t need to have a request on hold, you can just leave it. I had a request intercepted and being held. By the way, does burp stop if you get logged out automatically in kali?

@wh4ck said:

By the way, does burp stop if you get logged out automatically in kali?

I don’t know, but probably as its a GUI tool. I’d suggest turning off the automatic logout/lockscreens etc in Kali.

wait it says Server Error: Gateway Timeout - I can’t use intruder for any lab since it times out

@wh4ck said:

wait it says Server Error: Gateway Timeout - I can’t use intruder for any lab since it times out

Ok - you have a networking problem. Something isn’t working. Chances are its a proxy error. Look how you have everything set up. If you need a VPN make sure it is working.

I’m using the free version of protonVPN and my proxy settings are a manual connection on firefox with 127.0.0.1:8080 on all protocols with SOCKS v5.
Thanks for sticking around to help with the problem btw

A lot of this will depend on what the lab settings are, so I don’t know if I can help really.

The error means something is failing to work and you have a lot of technology in line there.

Start with opening it in a browser and see what it responds with. Then work from there to try and identify which bit of the tech stack is causing the issue.

@TazWake said:
A lot of this will depend on what the lab settings are, so I don’t know if I can help really.

The error means something is failing to work and you have a lot of technology in line there.

Start with opening it in a browser and see what it responds with. Then work from there to try and identify which bit of the tech stack is causing the issue.

I’ve got the feeling it might be the vpn that is throttling the connection when I leave burp at it. If you have any reccommendations, I’m all ears. Also the VPN is not on the VM, it is on my desktop (I use a kali vm on windows (vmware)).

Sadly it is nearly impossible to remotely troubleshoot this, sorry. So much depends on how you have your system set up.

Do you need to use the VPN?

As a rule of thumb I’d try:

  1. connect to the server with a web browser and no proxies
  2. if that works, set up the browser to use burp as a proxy and try again
  3. if that works everything is good

If any step doesn’t work you need to look at what is happening - where the traffic is flowing, what messages you get etc.

Type your comment> @TazWake said:

Sadly it is nearly impossible to remotely troubleshoot this, sorry. So much depends on how you have your system set up.

Do you need to use the VPN?

As a rule of thumb I’d try:

  1. connect to the server with a web browser and no proxies
  2. if that works, set up the browser to use burp as a proxy and try again
  3. if that works everything is good

If any step doesn’t work you need to look at what is happening - where the traffic is flowing, what messages you get etc.

The lab is a website… It is PortSwigger Academy and it is fine, I can intercept and do all sorts and get through a large amount of intruder requests but near 400 it times out.

@wh4ck said:

Type your comment> @TazWake said:

Sadly it is nearly impossible to remotely troubleshoot this, sorry. So much depends on how you have your system set up.

Do you need to use the VPN?

As a rule of thumb I’d try:

  1. connect to the server with a web browser and no proxies
  2. if that works, set up the browser to use burp as a proxy and try again
  3. if that works everything is good

If any step doesn’t work you need to look at what is happening - where the traffic is flowing, what messages you get etc.

The lab is a website… It is PortSwigger Academy and it is fine, I can intercept and do all sorts and get through a large amount of intruder requests but near 400 it times out.

OK - it might be falling over under your brute force attack. Maybe there is a better way.

Type your comment> @TazWake said:

@wh4ck said:

Type your comment> @TazWake said:

Sadly it is nearly impossible to remotely troubleshoot this, sorry. So much depends on how you have your system set up.

Do you need to use the VPN?

As a rule of thumb I’d try:

  1. connect to the server with a web browser and no proxies
  2. if that works, set up the browser to use burp as a proxy and try again
  3. if that works everything is good

If any step doesn’t work you need to look at what is happening - where the traffic is flowing, what messages you get etc.

The lab is a website… It is PortSwigger Academy and it is fine, I can intercept and do all sorts and get through a large amount of intruder requests but near 400 it times out.

OK - it might be falling over under your brute force attack. Maybe there is a better way.

Unfortunately thats what it says in the solution - use burp intruder to bruteforce (value).

@wh4ck said:

Unfortunately thats what it says in the solution - use burp intruder to bruteforce (value).

But it depends on how you brute force. It could be there is a way to limit the range of options or adjust how the requests work.

It seems odd for them to create a server which needs to be brute forced but then falls over when it is brute forced.

As I said, I don’t have an answer here - I’ve never looked at the lab and don’t know how your environment is set up.

Oh well then, I guess I’ll see what I can find in the portswigger forum, thanks a lot for your help though!

Oh, well it seems there is a timeout for the lab implemented by PortSwigger - and as a beginner I cannot afford nor want the pro version of burp since I probably won’t be able to use half the features effectively. Thanks!

@wh4ck said:

Oh, well it seems there is a timeout for the lab implemented by PortSwigger - and as a beginner I cannot afford nor want the pro version of burp since I probably won’t be able to use half the features effectively. Thanks!

Ok, there are always going to be limits on what is available for free.

This isn’t an obstacle though - its a chance to learn other things. For example, with Burp intruder you learn how to do a point and click brute force, where the only hard bit is identifying the vulnerable application logic.

Now you can learn other things.

For example, the python requests module allows you to create a script which will brute force it for you.

At a high level you’d probably want to look look at something like:

import requests

for i in range(9999):
    print("Attempt: ", i)
    payload = {"data you want to send"}
    response = requests.post('URL', payload) 
    print(response.status_code) 
    print(response.text) 

Obviously, you’d want to tidy it up, but with some tweaking you can use this to build your own python 2FA bypass script.