- Passing the generated MFA to another user using burp
Fuzzing with ffuf:
username=FUZZUSER&password=FUZZPASSthis fuzzes both user and pass
ffuf -request teashop.txt -request-proto http -mode clusterbomb -w pass.txt:FUZZPASS -w user.txt -fs 3376clusterbomb is a type of attack that tries all users with all passwords. If you forget, check burp Intruder tab, under Attack type. All 4 types are explained.
find the fs (content length) by trying a user and getting a no response first.
*Need to also -fs for user doesn’t exist, which is 3256 in this case