Google Authenticator

Google Authenticator transforms Burp Suite into a fully functional Time-based One-Time Password (TOTP) client that automatically generates and applies current 2FA codes to HTTP requests in real-time. This extension is essential for testing applications protected by Google 2FA, enabling seamless automated scanning and manual testing without the need to constantly generate codes from a mobile authenticator app.

Features

• Real-time TOTP code generation using shared secrets from Google Authenticator setup
• Automatic 2FA code replacement in HTTP requests via configurable regular expressions
• Session handling rule integration for seamless workflow with Scanner, Intruder, and Repeater
• Live code display with 30-second refresh cycle matching standard TOTP timing
• Pattern matching support for flexible code placement in various request formats
• Session tracer integration for monitoring code replacements

Usage

1. Obtain the shared secret from your Google Authenticator setup (typically provided as a QR code or base32 string)
2. Enter the shared secret in the Google Authenticator tab within Burp Suite
3. Configure a regular expression to match 2FA codes in your requests (recommended: (?<![\w\d])\d{6,8}(?![\w\d]))
4. Navigate to "Settings → Sessions → Session Handling Rules" and add a new rule
5. Select "Invoke a Burp extension" and choose "Google Authenticator: 2FA code applied to selected parameter"
6. Configure the rule scope to target only requests containing 2FA parameters
7. Monitor code replacements using the Session Tracer or Logger tab