Skip to content
/ okta-totp-authenticator Public
forked from ganesh2183/OktaTOTPAuthenticator

Burp Suite plugin that dynamically generates Okta TOTP 2FA code for use in session handling rules

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PortSwigger/okta-totp-authenticator

BranchesTags
 
 

Repository files navigation

OktaTOTPAuthenticator

Burp Suite plugin that dynamically generates Okta TOTP 2FA code for use in session handling rules.

How to Configure:

  1. Load the extension into Extensions > Installed > Add > Extension Type: Java > Choose the jar file
  2. Go to Okta TOTP Authenticator UI interface - Either Import QR or manually update sharedsecret value in Shared Secret field, click on 'Update' button and update Regex Pattern
  3. Go to Settings > Search > Sessions
  4. Under Session handling rules, go to Add > Rule actions > Add > Invoke a Burp extension,
    select 'Okta TOTP Handler' from the dropdown list available and click OK.
  5. Click across to the Scope tab, ensuring that the Tools scope > Scanner, Repeater box is checked.
  6. Configure the URL scope appropriately. Click OK.
  7. Now you can perform security testing on Okta enabled authentication sites in Burp Suite Professional.

Regex Pattern: (?<![\w\d])\d{6,8}(?![\w\d])

image image

The Okta TOTP Authenticator extension integrates seamlessly with Burp Suite Pro to:

  1. Handle TOTP generation for Okta accounts.
  2. Inject generated TOTP codes dynamically into HTTP requests.
  3. Simplify workflows by allowing users to upload QR codes or manually configure shared secrets.
  4. Support regex-based customization to identify where TOTP codes should be injected.

Features of the Extension

  1. The extension allows users to upload a QR code associated with their Okta account. It decodes the QR code, extracts the shared secret, and securely stores it in Base64 format.
  2. For scenarios where a QR code is unavailable, the shared secret can be manually entered and updated directly in the extension's user interface (UI).
  3. The generated TOTP code is prominently displayed in the UI and refreshes every 30 seconds to align with the TOTP protocol.
  4. Users can specify a regex pattern to identify where TOTP codes need to be injected in HTTP requests. The default regex can be customized via the UI.
  5. The extension integrates with Burp Suite's session handling rules, enabling automatic TOTP injection into requests without manual intervention.

How to build jar file using Gradle:

  1. Clone the repo.
  2. Install latest version of Gradle, follow the installation instructions here.
  3. Once Gradle is installed, run gradle fatJar from the installation directory using the command line.
  4. Jar file is generated under(../build/libs/OktaAuthenticate-1.0-SNAPSHOT.jar)

About

Burp Suite plugin that dynamically generates Okta TOTP 2FA code for use in session handling rules

Topics

extension

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 93.0%
  • HTML 7.0%