d0ctrine

Diamond
Joined
17.08.24
Messages
105
Reaction score
2,263
Points
93
1742929415271.pngπŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.

Q3XlqrtY.png


Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.

1742932521805.png

This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)

1742933162406.png

All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

1742933232768.png

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

1742933507188.png

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:



Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
 

satos48

Newbie
Joined
13.04.23
Messages
8
Reaction score
0
Points
1
View attachment 8294πŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
cool post
 

moders3

Newbie
Joined
21.02.25
Messages
8
Reaction score
0
Points
1
View attachment 8294πŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
Been looking for this
 

fring

Newbie
Joined
25.10.24
Messages
2
Reaction score
0
Points
1
View attachment 8294⁇ Tampering Antifraud Requests using Burp Suite ⁇

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": falso,
    "is_brave": verdadero
  }
}
[/CΓ“DIGO]



Luego puede hacer ediciones estratΓ©gicas para impulsar [COLOR=rgb(0, 255, 0)]factores de confianza[/COLOR] y alinearse con su perfil de destino:

[B]* Texto oculto: no se puede citar. *[/B]


Una vez que haya realizado sus cambios, ofusque esa mierda y reemplace la carga útil en su panel de intercepción y REENVÍE la solicitud.
[CENTER]
[IMG width="908px"]https://i.imgur.com/IQqqtYh.png[/IMG][/CENTER]

Este proceso vincula su huella digital fabricada a su cookie. El sistema cree que eres solo otro [COLOR=rgb(0, 255, 0)]cliente legΓ­timo[/COLOR] en lugar del estafador digital que realmente eres.

[SIZE=6]ConclusiΓ³n[/SIZE]

ManipulaciΓ³n de sistemas antifraude con [COLOR=rgb(0, 191, 255)]Suite Burp[/COLOR] es como tener un kit de disfraz digital. No solo estΓ‘s cambiando tu aspecto – estΓ‘s alterando lo que ven las cΓ‘maras de seguridad. Por posicionamiento [COLOR=rgb(0, 191, 255)]Arrugar[/COLOR] entre su navegador y estos sistemas puede alimentarlos con la huella digital que desee, sin siquiera usar un antidetecto.

El Γ©xito depende de entender exactamente lo que estos sistemas recopilan y cΓ³mo lo interpretan. Analiza tu [COLOR=rgb(0, 191, 255)]Arrugar[/COLOR] registros para estudiar las solicitudes de antifraude antes de jugar con ellos. Busque patrones en los datos de JSON. Cuanto mΓ‘s entiendas lo que estΓ‘n revisando, mΓ‘s precisamente podrΓ‘s manipularlo.

Recuerde: el engaΓ±o digital efectivo no se trata de invisibilidad – se trata de verse tan normal que nunca piensan mirar dos veces.

Tenga en cuenta que apenas hemos araΓ±ado la superficie de lo que [URL='https://portswigger.net/burp']Suite Burp[/URL] puede hacer. Esta bestia de una herramienta tiene docenas de mΓ³dulos y cientos de caracterΓ­sticas que ni siquiera he tocado, desde el escaneo automatizado hasta la bΓΊsqueda de vulnerabilidades SQLi y puntos finales difusos. Es una herramienta compleja que recompensa a quienes invierten tiempo en dominarla. CubrirΓ© tΓ©cnicas mΓ‘s avanzadas en futuras guΓ­as.

Hasta pronto. d0ctrine fuera.
[/QUOTE]
 

mooseman4556

Newbie
Joined
26.03.25
Messages
10
Reaction score
1
Points
3
View attachment 8294πŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
thanks
 

Jekas-DM

Newbie
Joined
19.01.25
Messages
3
Reaction score
0
Points
1
View attachment 8294πŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
thanks
 

demonastan

Newbie
Joined
27.03.25
Messages
7
Reaction score
0
Points
1
View attachment 8294πŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
[mΓ£]{"card_number":"41111111111111111","hαΊΏt hαΊ‘n":"25/12""cvv":"","billing_zip":"10001"}[/mΓ£]

NαΊΏu xΓ‘c thα»±c backend cα»§a thΖ°Ζ‘ng gia lΓ  rΓ‘c (vΓ  bαΊ‘n sαΊ½ ngαΊ‘c nhiΓͺn khi thαΊ₯y cΓ³ bao nhiΓͺu nhΓ  bΓ‘n lαΊ» lα»›n lΓ m hỏng Δ‘iều nΓ y) thΓ¬ thanh toΓ‘n vαΊ«n cΓ³ thể xα»­ lΓ½. Mα»™t sα»‘ cα»•ng thanh toΓ‘n Δ‘α»‹nh cαΊ₯u hΓ¬nh CVV lΓ  "tΓΉy chọn" thay vΓ¬ bαΊ―t buα»™c vΓ  cΓ‘c nhΓ  phΓ‘t triển lười biαΊΏng thường khΓ΄ng thα»±c thi xΓ‘c thα»±c phΓΉ hợp. ChαΊΏt tiệt, tΓ΄i Δ‘Γ£ tα»«ng thαΊ₯y cΓ‘c cα»­a hΓ ng mΓ  bαΊ‘n thαΊ­m chΓ­ cΓ³ thể can thiệp vΓ  thay Δ‘α»•i giΓ‘ cα»§a cΓ‘c mαΊ·t hΓ ng bαΊ‘n Δ‘ang thanh toΓ‘n.

CΓ‘c nhΓ  bΓ‘n lαΊ» lα»›n khΓ‘c cΕ©ng cΓ³ lα»— hα»•ng tΖ°Ζ‘ng tα»± mΓ  Binners khai thΓ‘c để sα»­ dα»₯ng thαΊ» do họ tαΊ‘o ra mΓ  khΓ΄ng cαΊ§n bαΊ₯t kα»³ mΓ£ CVV nΓ o.

Thay Δ‘α»•i yΓͺu cαΊ§u chα»‘ng gian lαΊ­n

BΓ’y giờ bαΊ‘n Δ‘Γ£ hiểu nhα»―ng Δ‘iều cΖ‘ bαΊ£n về chαΊ·n bαΊ―t, hΓ£y cΓΉng tiαΊΏn lΓͺn. ChΓΊng ta đều biαΊΏt cΓ‘c hệ thα»‘ng chα»‘ng gian lαΊ­n hiện Δ‘αΊ‘i lΓ  nhα»―ng kαΊ» gian xαΊ£o . ChΓΊng Δ‘Ζ°a mΓ£ JavaScript vΓ o cΓ‘c trang bαΊ‘n duyệt, Γ’m thαΊ§m thu thαΊ­p hΓ ng nΓΊi dα»― liệu về bαΊ‘n. CΓ‘c tαΊ­p lệnh nΓ y theo dΓ΅i mọi thα»© tα»« cαΊ₯u hΓ¬nh thiαΊΏt bα»‹ cα»§a bαΊ‘n Δ‘αΊΏn cΓ‘ch bαΊ‘n di chuyển chuα»™t.

Sau Δ‘Γ’y lΓ  nhα»―ng gΓ¬ cΓ‘c tαΊ­p lệnh nΓ y thường thu thαΊ­p:
  • DαΊ₯u vΓ’n tay trΓ¬nh duyệt (Δ‘α»™ phΓ’n giαΊ£i mΓ n hΓ¬nh tΓ‘c nhΓ’n người dΓΉng, phΓ΄ng chα»― Δ‘Γ£ cΓ i Δ‘αΊ·t)
  • Chi tiαΊΏt phαΊ§n cα»©ng (thΓ΄ng tin GPU qua lΓ΅i CPU kαΊΏt xuαΊ₯t WebGL)
  • Chuyển Δ‘α»™ng cα»§a chuα»™t vΓ  kiểu nhαΊ₯p chuα»™t (tα»‘c Δ‘α»™, Δ‘α»™ rung tα»± nhiΓͺn so vα»›i đường dαΊ«n giα»‘ng bot)
  • Nhα»‹p Δ‘α»™ gΓ΅ phΓ­m (tα»‘c Δ‘α»™ nhαΊ­p dα»― liệu, thời gian dα»«ng giα»―a cΓ‘c lαΊ§n nhαΊ₯n phΓ­m)
  • Cho dΓΉ bαΊ‘n Δ‘ang sα»­ dα»₯ng trΓ¬nh duyệt khΓ΄ng cΓ³ giao diện hay cΓ΄ng cα»₯ tα»± Δ‘α»™ng hΓ³a (Selenium, v.v.)


TαΊ₯t cαΊ£ dα»― liệu nΓ y được Δ‘Γ³ng gΓ³i vΓ  gα»­i Δ‘αΊΏn mΓ‘y chα»§ cα»§a họ (nhΖ° m.stripe.com dΓ nh cho Stripe hoαΊ·c Δ‘iểm cuα»‘i forter.com), tαΊ‘i Δ‘Γ³ hệ thα»‘ng AI sαΊ½ quyαΊΏt Δ‘α»‹nh xem bαΊ‘n cΓ³ hợp phΓ‘p hay khΓ΄ng.

CΓ‘c hệ thα»‘ng nΓ y biαΊΏt rαΊ±ng dα»― liệu cα»§a họ cΓ³ thể bα»‹ can thiệp, vΓ¬ vαΊ­y họ cα»‘ gαΊ―ng αΊ©n dα»― liệu khỏi nhα»―ng con mαΊ―t tΓ² mΓ². Họ sαΊ½:
  • Base64 mΓ£ hΓ³a cΓ‘c tαΊ£i trọng cα»§a chΓΊng
  • Sα»­ dα»₯ng hoΓ‘n Δ‘α»•i kΓ½ tα»± (nhΖ° thay thαΊΏ a' bαΊ±ng x' vΓ  ngược lαΊ‘i)
  • LΓ m tα»‘i nghΔ©a mΓ£ JavaScript cα»§a họ
  • Chia dα»― liệu thΓ nh nhiều yΓͺu cαΊ§u
  • Sα»­ dα»₯ng cΓ‘c chΖ°Ζ‘ng trΓ¬nh mΓ£ hΓ³a tΓΉy chỉnh
NhΖ°ng Δ‘Γ’y lΓ  sα»± thαΊ­t phΕ© phΓ ng: bαΊ£o mαΊ­t thΓ΄ng qua sα»± mΖ‘ hα»“ cΕ©ng hiệu quαΊ£ nhΖ° 414720 mΓ  bαΊ‘n mua vα»›i giΓ‘ 1 Δ‘Γ΄ la. CΓ‘c hệ thα»‘ng nΓ y phαΊ£i gα»­i dα»― liệu theo Δ‘α»‹nh dαΊ‘ng mΓ  trΓ¬nh duyệt cα»§a bαΊ‘n cΓ³ thể xα»­ lΓ½, nghΔ©a lΓ  bαΊ‘n cΓ³ thể lαΊ₯y dα»― liệu nαΊΏu biαΊΏt tΓ¬m ở Δ‘Γ’u.

VΓ­ dα»₯ thα»±c tαΊΏ: Riskified trong Booking.com

HΓ£y cΓΉng bαΊ―t tay vΓ o Riskified , mα»™t trong nhα»―ng hệ thα»‘ng phΓ²ng chα»‘ng gian lαΊ­n khΓ©t tiαΊΏng nhαΊ₯t Δ‘Γ£ lΓ m nhα»―ng người chΖ‘i bΓ i phαΊ£i bα»‘i rα»‘i. KhΓ΄ng giα»‘ng nhΖ° mα»™t sα»‘ biện phΓ‘p bαΊ£o mαΊ­t nα»­a vời, biện phΓ‘p nΓ y thα»±c sα»± cΓ³ mα»™t sα»‘ Δ‘iểm mαΊ‘nh.

Đầu tiΓͺn, chΓΊng ta cαΊ§n thiαΊΏt lαΊ­p cΓ‘c quy tαΊ―c chαΊ·n trong Burp Suite :
  1. VΓ o Proxy > TΓΉy chọn > ChαΊ·n yΓͺu cαΊ§u cα»§a mΓ‘y khΓ‘ch
  2. ThΓͺm quy tαΊ―c: VΓ€ tΓͺn miền khα»›p vα»›i c.riskified.com
  3. VΓ΄ hiệu hΓ³a chαΊ·n phαΊ£n hα»“i
UBbyfPX.png

BΓ’y giờ hΓ£y duyệt quanh trang web vΓ  chọn chuyαΊΏn bay rα»“i thα»­ truy cαΊ­p vΓ o trang thanh toΓ‘n vΓ  rαΊ₯t cΓ³ thể chuyαΊΏn bay sαΊ½ kαΊΏt nα»‘i Δ‘αΊ§u tiΓͺn Δ‘αΊΏn:

mp84qwV.png

[URL mở rα»™ng="true"]https://beacon.riskified.com/[/URL]

Sau khi kαΊΏt nα»‘i ở Δ‘Γ’y, nΓ³ sαΊ½ tαΊ£i xuα»‘ng JS cαΊ§n thiαΊΏt để lαΊ₯y dαΊ₯u vΓ’n tay hệ thα»‘ng cα»§a bαΊ‘n. ĐÒy khΓ΄ng phαΊ£i lΓ  thu thαΊ­p dα»― liệu thΓ΄ng thường – mΓ  lΓ  tΓ¬m kiαΊΏm khoang kα»Ή thuαΊ­t sα»‘ Δ‘αΊ§y Δ‘α»§ cα»‘ gαΊ―ng gα»­i mọi thα»© về bαΊ‘n Δ‘αΊΏn:

c.riskified.com

VΓ¬ chΓΊng tΓ΄i Δ‘Γ£ thiαΊΏt lαΊ­p chαΊ·n nΓͺn dαΊ₯u vΓ’n tay sαΊ½ khΓ΄ng được gα»­i Δ‘αΊΏn mΓ‘y chα»§ Riskifieds . NαΊΏu bαΊ‘n kiểm tra bαΊ£ng Δ‘iều khiển nhαΊ­t kΓ½ HTTP, bαΊ‘n sαΊ½ thαΊ₯y nΓ³ Δ‘ang cα»‘ gαΊ―ng gα»­i mα»™t tαΊ£i trọng được mΓ£ hΓ³a cΓ³ chα»©a DNA kα»Ή thuαΊ­t sα»‘ cα»§a bαΊ‘n:

nOXNHNL.png

GiαΊ£i mΓ£

CΓ‘c trang web chα»‘ng gian lαΊ­n che giαΊ₯u dαΊ₯u vΓ’n tay cα»§a bαΊ‘n vΓ¬ nαΊΏu khΓ΄ng thΓ¬ việc giαΊ£ mαΊ‘o sαΊ½ lΓ  trΓ² trαΊ» con. Giα»‘ng nhΖ° việc giαΊ₯u chΓ¬a khΓ³a nhΓ  cα»§a bαΊ‘n – chαΊ―c chαΊ―n, nΓ³ vαΊ«n ở Δ‘Γ³ nhΖ°ng Γ­t nhαΊ₯t hΓ£y bαΊ―t tΓͺn trα»™m phαΊ£i lΓ m việc để lαΊ₯y nΓ³.

Việc giαΊ£i mΓ£ mΓ£ hΓ³a cαΊ§n cΓ³ kα»Ή nΔƒng, nhΖ°ng khΓ΄ng phαΊ£i lΓ  khoa học tΓͺn lα»­a. BαΊ‘n chỉ cαΊ§n Δ‘αΊ£o ngược kα»Ή thuαΊ­t để tΓ¬m ra cΓ‘ch JS tαΊ‘o ra tαΊ£i trọng. Đối vα»›i nhα»―ng ai cΓ³ IQ dΖ°α»›i 70, hΓ£y tham khαΊ£o AI. VΓ  nαΊΏu bαΊ‘n cαΊ£m thαΊ₯y mΓ¬nh thΓ΄ng minh khi nghΔ© rαΊ±ng chỉ cΓ³ Base64 cho Riskified (mαΊ·c dΓΉ nhiều người trong sα»‘ họ chỉ sα»­ dα»₯ng mΓ£ hΓ³a Base64), thΓ¬ khΓ΄ng phαΊ£i vαΊ­y:

avqVKui.png

NhΖ°ng bαΊ‘n biαΊΏt tΓ΄i mΓ , tΓ΄i yΓͺu tαΊ₯t cαΊ£ cΓ‘c bαΊ‘n nΓͺn Δ‘α»‘i vα»›i bαΊ£n demo nΓ y, tΓ΄i Δ‘Γ£ phΓ‘t triển mα»™t cΓ΄ng cα»₯ giΓΊp giαΊ£i mΓ£ dαΊ₯u vΓ’n tay tα»« cΓ‘c giαΊ£i phΓ‘p chα»‘ng phΓ‘t hiện phα»• biαΊΏn. Đối vα»›i bαΊ£n demo nΓ y, tΓ΄i Δ‘Γ£ bαΊ­t Riskified nhΖ°ng tΓ΄i sαΊ½ sα»›m thΓͺm hαΊ§u hαΊΏt cΓ‘c nhΓ  cung cαΊ₯p chα»‘ng gian lαΊ­n.

[URL mở rα»™ng="true"]https://binx.cc/tools/antifraud-deobfuscate[/URL]

VΓ¬ vαΊ­y, để mọi việc dα»… dΓ ng hΖ‘n, hΓ£y Δ‘αΊΏn cΓ΄ng cα»₯ giαΊ£i mΓ£ chα»‘ng gian lαΊ­n trong BinX vΓ  chọn Riskified , sau Δ‘Γ³ dΓ‘n dα»― liệu Δ‘Γ£ chαΊ·n cα»§a chΓΊng tΓ΄i.

ADbPFPq.png

Sau khi giαΊ£i mΓ£, dα»― liệu dαΊ₯u vΓ’n tay cα»§a bαΊ‘n sαΊ½ trΓ΄ng giα»‘ng nhΖ° mα»™t cuα»‘n sΓ‘ch mở.
[MΓƒ SỐ]
{
"vΔ© Δ‘α»™": 37.7749,
"múi giờ": 240,
"dαΊ₯u thời gian": "1689452187394",
"cart_id": "7629384105",
"shop_id": "cf.bstatic.com",
"người giα»›i thiệu": "https://secure.booking.com/",
"href": "https://cf.bstatic.com/static/tag_c...a077563c1795a773c91150dd19adefe98d13fd65.html",
"riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
"color_depth": 24,
"page_id": "9xzp4r",
"cα»­a hΓ ng": "www.booking.com",
"hardware_concurrency": 8,
"has_touch": Δ‘ΓΊng,
"lα»‹ch sα»­_chiều dΓ i": 7,
"document_title": "Đặt phòng.com",
"console_error": "console.memory khΓ΄ng được xΓ‘c Δ‘α»‹nh",
"battery_error": "Lα»—i getBattery()",
"initial_cookie_state_0": "https",
"initial_cookie_state_1": "liΓͺn tα»₯c",
"trΓ¬nh duyệt": {
"productsub": "20030107",
"is_opr": Δ‘ΓΊng,
"is_firefox": sai,
"ev_len": 42
},
"hệ Δ‘iều hΓ nh": {
"cpu": "Windows NT 10.0",
"nền tảng": "Win32"
},
"webgl": {
"nhΓ  cung cαΊ₯p": "Google Inc.",
"trΓ¬nh kαΊΏt xuαΊ₯t": "GΓ“C (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
},
"nghα»‹ quyαΊΏt": {
"dpr": 1,5,
"màn hình": 1080,
"màn hình": 1920,
"cΓ³ sαΊ΅n": 1040,
"cΓ³ sαΊ΅n": 1920,
"bΓͺn trong": 900,
"bΓͺn trong": 1600,
"bΓͺn ngoΓ i": 1040,
"bΓͺn ngoΓ i": 1920
},
"date_string": "Thα»© sΓ‘u, ngΓ y 25 thΓ‘ng 3 nΔƒm 2025 14:23:07 GMT-0400 (Giờ ban ngΓ y miền Đông)",
"quα»‘c tαΊΏ": {
"locale": "en-GB",
"num_sys": "vΔ© Δ‘α»™",
"cal": "gregory",
"tz": "Mα»Ή/New_York"
},
"downlink_error": "navigator.connection khΓ΄ng được xΓ‘c Δ‘α»‹nh",
"nav_plu": "Trình cắm PDF của Chrome, Trình xem PDF của Chrome, MÑy khÑch gốc",
"nav_lang": "vi-GB",
"dα»― liệu ngΓ΄n ngα»― trang": {
"page_language": "vi",
"has_translation": Δ‘ΓΊng
},
"αΊ©n danh": {
"safari": Δ‘ΓΊng,
"chrome_quota": 120,
"service_worker_undefined": sai,
"is_brave": Δ‘ΓΊng
}
}
[/MΓƒ SỐ]



Sau Δ‘Γ³, bαΊ‘n cΓ³ thể thα»±c hiện cΓ‘c chỉnh sα»­a chiαΊΏn lược để tΔƒng cường cΓ‘c yαΊΏu tα»‘ tin cαΊ­y vΓ  phΓΉ hợp vα»›i hα»“ sΖ‘ mα»₯c tiΓͺu cα»§a mΓ¬nh:

* VΔƒn bαΊ£n αΊ©n: khΓ΄ng thể trΓ­ch dαΊ«n. *


Sau khi thα»±c hiện thay Δ‘α»•i, hΓ£y lΓ m tα»‘i nghΔ©a lαΊ‘i vΓ  thay thαΊΏ dα»― liệu trong bαΊ£ng Δ‘iều khiển chαΊ·n cα»§a bαΊ‘n vΓ  CHUYα»‚N TIαΊΎP yΓͺu cαΊ§u.

IQqqtYh.png

QuΓ‘ trΓ¬nh nΓ y liΓͺn kαΊΏt dαΊ₯u vΓ’n tay giαΊ£ cα»§a bαΊ‘n vα»›i cookie cα»§a bαΊ‘n. Hệ thα»‘ng nghΔ© rαΊ±ng bαΊ‘n chỉ lΓ  mα»™t khΓ‘ch hΓ ng hợp phΓ‘p khΓ‘c thay vΓ¬ lΓ  kαΊ» lα»«a Δ‘αΊ£o kα»Ή thuαΊ­t sα»‘ thα»±c sα»±.

PhαΊ§n kαΊΏt luαΊ­n

Thao tΓΊng cΓ‘c hệ thα»‘ng chα»‘ng gian lαΊ­n bαΊ±ng Burp Suite giα»‘ng nhΖ° cΓ³ mα»™t bα»™ ngα»₯y trang kα»Ή thuαΊ­t sα»‘. BαΊ‘n khΓ΄ng chỉ thay Δ‘α»•i diện mαΊ‘o cα»§a mΓ¬nh – bαΊ‘n Δ‘ang thay Δ‘α»•i nhα»―ng gΓ¬ camera an ninh nhΓ¬n thαΊ₯y. BαΊ±ng cΓ‘ch Δ‘αΊ·t Burp giα»―a trΓ¬nh duyệt cα»§a bαΊ‘n vΓ  cΓ‘c hệ thα»‘ng nΓ y, bαΊ‘n cΓ³ thể cung cαΊ₯p cho chΓΊng bαΊ₯t kα»³ dαΊ₯u vΓ’n tay nΓ o bαΊ‘n muα»‘n, thαΊ­m chΓ­ khΓ΄ng cαΊ§n sα»­ dα»₯ng antidetect.

ThΓ nh cΓ΄ng phα»₯ thuα»™c vΓ o việc hiểu chΓ­nh xΓ‘c nhα»―ng gΓ¬ cΓ‘c hệ thα»‘ng nΓ y thu thαΊ­p vΓ  cΓ‘ch chΓΊng diα»…n giαΊ£i chΓΊng. PhΓ’n tΓ­ch nhαΊ­t kΓ½ Burp cα»§a bαΊ‘n để nghiΓͺn cα»©u cΓ‘c yΓͺu cαΊ§u chα»‘ng gian lαΊ­n trΖ°α»›c khi can thiệp vΓ o chΓΊng. TΓ¬m kiαΊΏm cΓ‘c mαΊ«u trong dα»― liệu JSON. BαΊ‘n cΓ ng hiểu rΓ΅ nhα»―ng gΓ¬ họ Δ‘ang kiểm tra thΓ¬ bαΊ‘n cΓ ng cΓ³ thể thao tΓ‘c chΓ­nh xΓ‘c hΖ‘n.

HΓ£y nhα»›: sα»± lα»«a dα»‘i hiệu quαΊ£ trΓͺn mαΊ‘ng khΓ΄ng phαΊ£i lΓ  sα»± vΓ΄ hΓ¬nh – mΓ  lΓ  trΓ΄ng thαΊ­t bΓ¬nh thường Δ‘αΊΏn nα»—i họ khΓ΄ng bao giờ nghΔ© Δ‘αΊΏn việc phαΊ£i nhΓ¬n lαΊ§n thα»© hai.

HΓ£y nhα»› rαΊ±ng chΓΊng ta mα»›i chỉ khai thΓ‘c được bề nα»•i nhα»―ng gΓ¬ Burp Suite cΓ³ thể lΓ m. CΓ΄ng cα»₯ khα»§ng nΓ y cΓ³ hΓ ng chα»₯c mΓ΄-Δ‘un vΓ  hΓ ng trΔƒm tΓ­nh nΔƒng mΓ  tΓ΄i thαΊ­m chΓ­ cΓ²n chΖ°a đề cαΊ­p Δ‘αΊΏn - tα»« quΓ©t tα»± Δ‘α»™ng Δ‘αΊΏn tΓ¬m lα»— hα»•ng SQLi Δ‘αΊΏn fuzzing Δ‘iểm cuα»‘i. ĐÒy lΓ  mα»™t cΓ΄ng cα»₯ phα»©c tαΊ‘p, mang lαΊ‘i phαΊ§n thưởng cho nhα»―ng ai Δ‘αΊ§u tΖ° thời gian để thΓ nh thαΊ‘o. TΓ΄i sαΊ½ đề cαΊ­p Δ‘αΊΏn cΓ‘c kα»Ή thuαΊ­t nΓ’ng cao hΖ‘n trong cΓ‘c hΖ°α»›ng dαΊ«n sau.

HαΊΉn gαΊ·p lαΊ‘i sα»›m. d0ctrine ra mαΊ―t.
Nice job
 

amazznn1337

Newbie
Joined
26.10.22
Messages
2
Reaction score
0
Points
1
View attachment 8294πŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
So fucking useful awesome
 

Kekko

Newbie
Joined
04.03.25
Messages
4
Reaction score
0
Points
1
View attachment 8294πŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
Gg
 

iflaholmaz

Newbie
Joined
01.12.24
Messages
21
Reaction score
6
Points
3
View attachment 8294πŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
ty
 

Toxicjesus

Essential
Joined
08.01.25
Messages
14
Reaction score
2
Points
3
View attachment 8294πŸ› οΈ Tampering Antifraud Requests using Burp Suite πŸ› οΈ

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
leg
 
Top Bottom