d0ctrine

Diamond
Joined
17.08.24
Messages
104
Reaction score
1,982
Points
93
1742929415271.png🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.

Q3XlqrtY.png


Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.

1742932521805.png

This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)

1742933162406.png

All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

1742933232768.png

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

1742933507188.png

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:



Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
 

satos48

Newbie
Joined
13.04.23
Messages
8
Reaction score
0
Points
1
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
cool post
 

facai8800

Newbie
Joined
02.01.25
Messages
2
Reaction score
0
Points
1
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
[代码]{“card_number”:“41111111111111111”,“expiry”:“12/25”,“cvv”:“”,“billing_zip”:“10001”}[/code]

如果商家的后端验证很差劲(你会惊讶于有多少大型零售商搞砸了这一点),付款仍可能处理。一些支付网关将 CVV 配置为“可选”而不是必需的,而懒惰的开发人员通常不会强制执行适当的验证。见鬼,我以前见过商店,你甚至可以篡改和更改你正在结账的商品的价格。

其他大型零售商也存在类似的漏洞,Binners 可以利用这些漏洞使用他们生成的无需任何 CVV 的卡。

修改反欺诈请求

现在您已经了解了拦截的基本知识,让我们开始吧。我们都知道现代反欺诈系统非常狡猾。它们将 JavaScript 代码注入您浏览的页面,悄无声息地收集大量有关您的数据。这些脚本会跟踪从您的设备配置到您移动鼠标的方式等所有内容。

这些脚本通常收集以下信息:
  • 浏览器指纹(用户代理屏幕分辨率、安装的字体)
  • 硬件详细信息(通过 WebGL 渲染 CPU 核心获取的 GPU 信息)
  • 鼠标移动和点击模式(速度、抖动、自然路径与机器人路径)
  • 打字节奏(输入数据的速度、按键之间的停顿)
  • 无论您使用的是无头浏览器还是自动化工具(Selenium等)


所有这些数据都会被打包并发送到他们的服务器(例如Stripe的 m.stripe.com或 forter.com 端点),然后由 AI 系统来判断您是否合法或可疑。

这些系统知道他们的数据可能被篡改,所以他们试图隐藏数据,不让别人窥探。他们会:
  • Base64 编码其有效载荷
  • 使用字符交换(例如用 x' 替换 a' 或反之亦然)
  • 混淆JavaScript 代码
  • 在多个请求之间拆分数据
  • 使用自定义编码方案
但这里有一个肮脏的事实:通过隐蔽性实现的安全性与您花 1 美元购买的 414720 一样有效。这些系统必须以您的浏览器可以处理的格式发送数据,这意味着如果您知道在哪里查找,这些数据就在那里。

实例:Booking.com 中的 Riskified

让我们来试试Riskified,这是一个臭名昭著的防欺诈系统,它一直在阻止各种信用卡欺诈行为。与一些半吊子的安全措施不同,这个系统实际上有一些威力。

首先,我们需要在Burp Suite中设置拦截规则:
  1. 转至代理 > 选项 > 拦截客户端请求
  2. 添加规则:AND 域名与 c.riskified.com 匹配
  3. 禁用响应拦截
UBbyfPX.png

现在浏览该网站并选择航班并尝试进入结帐页面,它很可能会首先连接到:

mp84qwV.png


连接到此处后,它会下载指纹识别系统所需的 JS。这不是随意的数据收集 - 而是一次完整的数字体腔搜索,它会尝试将您的所有信息发送到:

c.riskified.com

由于我们已设置拦截,因此指纹不会被发送到Riskifieds服务器。如果您检查 HTTP 日志面板,您会看到它试图发送包含您的数字 DNA 的模糊有效负载:

nOXNHNL.png

反混淆

反欺诈网站会模糊您的指纹,因为如果他们不这样做,篡改指纹就是小菜一碟。这就像藏起您的家门钥匙一样——当然,钥匙还在那儿,但至少要让小偷费点力气才能找到它。

反混淆代码需要技巧,但这不是火箭科学。你只需要逆向分析 JS 如何创建有效载荷。如果你的智商低于 70,可以咨询人工智能。如果你自以为很聪明,认为 Riskified 只是 Base64(尽管他们中的许多人只是使用 Base64 编码),事实并非如此:

avqVKui.png

但你们知道我,我爱你们所有人,所以为了这个演示,我开发了一个工具来帮助对流行的反检测解决方案中的指纹进行反混淆。为了这个演示,我启用了Riskified,但我很快就会添加大多数反欺诈提供商。


因此,为了让事情变得简单,请前往 BinX 中的反欺诈反混淆工具并选择Riskified,然后粘贴我们拦截的有效载荷。

ADbPFPq.png

去混淆后,您的指纹数据看起来就像一本打开的书。
[代码]
{
“纬度”:37.7749,
“时区”:240,
“时间戳”:“1689452187394”,
“购物车 ID”:“7629384105”,
"shop_id": "cf.bstatic.com",
“推荐人”:“https://secure.booking.com/”,
“href”:“https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html”,
“riskified_cookie”:“p8jkl352qxnrtyuvcbm7fds9ghzwe6”,
“颜色深度”:24,
"page_id": "9xzp4r",
“商店”:“www.booking.com”,
“硬件并发”:8,
“has_touch”:真,
“历史长度”:7,
"document_title": "Booking.com",
“console_error”:“console.memory 未定义”,
"battery_error": "获取电池错误()",
"initial_cookie_state_0": "https",
"initial_cookie_state_1": "持久",
“浏览器”:{
“产品子项”:“20030107”,
“is_opr”:是的,
“is_firefox”:false,
“ev_len”:42
},
“操作系统”:{
“cpu”:“Windows NT 10.0”,
“平台”:“Win32”
},
“webgl”:{
“供应商”:“Google Inc.”,
“渲染器”:“ANGLE(英特尔、英特尔 (R) UHD 显卡 620、OpenGL 4.5)”
},
“解决”: {
“dpr”:1.5,
“屏幕显示”:1080,
“screenw”:1920,
“可用性”:1040,
“可用”:1920,
“内部”:900,
“内部”:1600,
“外部”:1040,
“outerw”:1920
},
“date_string”:“2025 年 3 月 25 日星期五 14:23:07 GMT-0400(东部夏令时间)”,
“国际”:{
“语言环境”:“en-GB”,
“num_sys”:“latn”,
“cal”:“gregory”,
“tz”:“美国/纽约”
},
"downlink_error": "navigator.connection 未定义",
"nav_plu": "Chrome PDF 插件,Chrome PDF 查看器,本机客户端",
“nav_lang”:“en-GB”,
“页面语言数据”:{
"page_language": "en",
“has_translation”:true
},
“隐身”:{
“safari”:真,
“chrome_quota”:120,
“service_worker_undefined”:false,
“is_brave”:真
}
}
[/代码]



然后,您可以进行战略性修改,以提高信任因素并与您的目标资料保持一致:

* 隐藏文字:无法引用。*


完成更改后,将其混淆并替换拦截仪表板中的有效负载并转发请求。

IQqqtYh.png

此过程将您伪造的指纹与您的 cookie 关联起来。系统会认为您只是另一个合法客户,而不是真正的数字骗子。

结论

使用Burp Suite操纵反欺诈系统就像拥有一套数字伪装工具。您不仅会改变自己的外表,还会改变安全摄像头所看到的内容。通过将Burp置于浏览器和这些系统之间,您可以向它们提供您想要的任何指纹,甚至无需使用反检测。

成功取决于准确了解这些系统收集的内容及其解释方式。在处理反欺诈请求之前,请分析Burp日志以研究它们。在 JSON 数据中寻找模式。您越了解它们在检查什么,您就能越精确地操纵它们。

请记住:有效的数字欺骗并不在于隐形,而在于让它看起来非常正常,以至于人们根本不会多看一眼。

请记住,我们只是触及了Burp Suite功能的表面。这款强大的工具有几十个模块和数百个我甚至没有触及的功能 - 从自动扫描到查找 SQLi 漏洞再到模糊测试端点。它是一款复杂的工具,花时间掌握它的人会获得回报。我将在未来的指南中介绍更高级的技术。

很快会看到你。d0ctrine out。
99
 

moders3

Newbie
Joined
21.02.25
Messages
7
Reaction score
0
Points
1
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
Been looking for this
 

fring

Newbie
Joined
25.10.24
Messages
2
Reaction score
0
Points
1
View attachment 8294⁇ Tampering Antifraud Requests using Burp Suite ⁇

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": falso,
    "is_brave": verdadero
  }
}
[/CÓDIGO]



Luego puede hacer ediciones estratégicas para impulsar [COLOR=rgb(0, 255, 0)]factores de confianza[/COLOR] y alinearse con su perfil de destino:

[B]* Texto oculto: no se puede citar. *[/B]


Una vez que haya realizado sus cambios, ofusque esa mierda y reemplace la carga útil en su panel de intercepción y REENVÍE la solicitud.
[CENTER]
[IMG width="908px"]https://i.imgur.com/IQqqtYh.png[/IMG][/CENTER]

Este proceso vincula su huella digital fabricada a su cookie. El sistema cree que eres solo otro [COLOR=rgb(0, 255, 0)]cliente legítimo[/COLOR] en lugar del estafador digital que realmente eres.

[SIZE=6]Conclusión[/SIZE]

Manipulación de sistemas antifraude con [COLOR=rgb(0, 191, 255)]Suite Burp[/COLOR] es como tener un kit de disfraz digital. No solo estás cambiando tu aspecto – estás alterando lo que ven las cámaras de seguridad. Por posicionamiento [COLOR=rgb(0, 191, 255)]Arrugar[/COLOR] entre su navegador y estos sistemas puede alimentarlos con la huella digital que desee, sin siquiera usar un antidetecto.

El éxito depende de entender exactamente lo que estos sistemas recopilan y cómo lo interpretan. Analiza tu [COLOR=rgb(0, 191, 255)]Arrugar[/COLOR] registros para estudiar las solicitudes de antifraude antes de jugar con ellos. Busque patrones en los datos de JSON. Cuanto más entiendas lo que están revisando, más precisamente podrás manipularlo.

Recuerde: el engaño digital efectivo no se trata de invisibilidad – se trata de verse tan normal que nunca piensan mirar dos veces.

Tenga en cuenta que apenas hemos arañado la superficie de lo que [URL='https://portswigger.net/burp']Suite Burp[/URL] puede hacer. Esta bestia de una herramienta tiene docenas de módulos y cientos de características que ni siquiera he tocado, desde el escaneo automatizado hasta la búsqueda de vulnerabilidades SQLi y puntos finales difusos. Es una herramienta compleja que recompensa a quienes invierten tiempo en dominarla. Cubriré técnicas más avanzadas en futuras guías.

Hasta pronto. d0ctrine fuera.
[/QUOTE]
 

mooseman4556

Newbie
Joined
26.03.25
Messages
9
Reaction score
1
Points
3
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
thanks
 

Jekas-DM

Newbie
Joined
19.01.25
Messages
3
Reaction score
0
Points
1
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
thanks
 

demonastan

Newbie
Joined
27.03.25
Messages
6
Reaction score
0
Points
1
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
[mã]{"card_number":"41111111111111111","hết hạn":"25/12""cvv":"","billing_zip":"10001"}[/mã]

Nếu xác thực backend của thương gia là rác (và bạn sẽ ngạc nhiên khi thấy có bao nhiêu nhà bán lẻ lớn làm hỏng điều này) thì thanh toán vẫn có thể xử lý. Một số cổng thanh toán định cấu hình CVV là "tùy chọn" thay vì bắt buộc và các nhà phát triển lười biếng thường không thực thi xác thực phù hợp. Chết tiệt, tôi đã từng thấy các cửa hàng mà bạn thậm chí có thể can thiệp và thay đổi giá của các mặt hàng bạn đang thanh toán.

Các nhà bán lẻ lớn khác cũng có lỗ hổng tương tự mà Binners khai thác để sử dụng thẻ do họ tạo ra mà không cần bất kỳ mã CVV nào.

Thay đổi yêu cầu chống gian lận

Bây giờ bạn đã hiểu những điều cơ bản về chặn bắt, hãy cùng tiến lên. Chúng ta đều biết các hệ thống chống gian lận hiện đại là những kẻ gian xảo . Chúng đưa mã JavaScript vào các trang bạn duyệt, âm thầm thu thập hàng núi dữ liệu về bạn. Các tập lệnh này theo dõi mọi thứ từ cấu hình thiết bị của bạn đến cách bạn di chuyển chuột.

Sau đây là những gì các tập lệnh này thường thu thập:
  • Dấu vân tay trình duyệt (độ phân giải màn hình tác nhân người dùng, phông chữ đã cài đặt)
  • Chi tiết phần cứng (thông tin GPU qua lõi CPU kết xuất WebGL)
  • Chuyển động của chuột và kiểu nhấp chuột (tốc độ, độ rung tự nhiên so với đường dẫn giống bot)
  • Nhịp độ gõ phím (tốc độ nhập dữ liệu, thời gian dừng giữa các lần nhấn phím)
  • Cho dù bạn đang sử dụng trình duyệt không có giao diện hay công cụ tự động hóa (Selenium, v.v.)


Tất cả dữ liệu này được đóng gói và gửi đến máy chủ của họ (như m.stripe.com dành cho Stripe hoặc điểm cuối forter.com), tại đó hệ thống AI sẽ quyết định xem bạn có hợp pháp hay không.

Các hệ thống này biết rằng dữ liệu của họ có thể bị can thiệp, vì vậy họ cố gắng ẩn dữ liệu khỏi những con mắt tò mò. Họ sẽ:
  • Base64 mã hóa các tải trọng của chúng
  • Sử dụng hoán đổi ký tự (như thay thế a' bằng x' và ngược lại)
  • Làm tối nghĩa mã JavaScript của họ
  • Chia dữ liệu thành nhiều yêu cầu
  • Sử dụng các chương trình mã hóa tùy chỉnh
Nhưng đây là sự thật phũ phàng: bảo mật thông qua sự mơ hồ cũng hiệu quả như 414720 mà bạn mua với giá 1 đô la. Các hệ thống này phải gửi dữ liệu theo định dạng mà trình duyệt của bạn có thể xử lý, nghĩa là bạn có thể lấy dữ liệu nếu biết tìm ở đâu.

Ví dụ thực tế: Riskified trong Booking.com

Hãy cùng bắt tay vào Riskified , một trong những hệ thống phòng chống gian lận khét tiếng nhất đã làm những người chơi bài phải bối rối. Không giống như một số biện pháp bảo mật nửa vời, biện pháp này thực sự có một số điểm mạnh.

Đầu tiên, chúng ta cần thiết lập các quy tắc chặn trong Burp Suite :
  1. Vào Proxy > Tùy chọn > Chặn yêu cầu của máy khách
  2. Thêm quy tắc: VÀ tên miền khớp với c.riskified.com
  3. Vô hiệu hóa chặn phản hồi
UBbyfPX.png

Bây giờ hãy duyệt quanh trang web và chọn chuyến bay rồi thử truy cập vào trang thanh toán và rất có thể chuyến bay sẽ kết nối đầu tiên đến:

mp84qwV.png

[URL mở rộng="true"]https://beacon.riskified.com/[/URL]

Sau khi kết nối ở đây, nó sẽ tải xuống JS cần thiết để lấy dấu vân tay hệ thống của bạn. Đây không phải là thu thập dữ liệu thông thường – mà là tìm kiếm khoang kỹ thuật số đầy đủ cố gắng gửi mọi thứ về bạn đến:

c.riskified.com

Vì chúng tôi đã thiết lập chặn nên dấu vân tay sẽ không được gửi đến máy chủ Riskifieds . Nếu bạn kiểm tra bảng điều khiển nhật ký HTTP, bạn sẽ thấy nó đang cố gắng gửi một tải trọng được mã hóa có chứa DNA kỹ thuật số của bạn:

nOXNHNL.png

Giải mã

Các trang web chống gian lận che giấu dấu vân tay của bạn vì nếu không thì việc giả mạo sẽ là trò trẻ con. Giống như việc giấu chìa khóa nhà của bạn – chắc chắn, nó vẫn ở đó nhưng ít nhất hãy bắt tên trộm phải làm việc để lấy nó.

Việc giải mã mã hóa cần có kỹ năng, nhưng không phải là khoa học tên lửa. Bạn chỉ cần đảo ngược kỹ thuật để tìm ra cách JS tạo ra tải trọng. Đối với những ai có IQ dưới 70, hãy tham khảo AI. Và nếu bạn cảm thấy mình thông minh khi nghĩ rằng chỉ có Base64 cho Riskified (mặc dù nhiều người trong số họ chỉ sử dụng mã hóa Base64), thì không phải vậy:

avqVKui.png

Nhưng bạn biết tôi mà, tôi yêu tất cả các bạn nên đối với bản demo này, tôi đã phát triển một công cụ giúp giải mã dấu vân tay từ các giải pháp chống phát hiện phổ biến. Đối với bản demo này, tôi đã bật Riskified nhưng tôi sẽ sớm thêm hầu hết các nhà cung cấp chống gian lận.

[URL mở rộng="true"]https://binx.cc/tools/antifraud-deobfuscate[/URL]

Vì vậy, để mọi việc dễ dàng hơn, hãy đến công cụ giải mã chống gian lận trong BinX và chọn Riskified , sau đó dán dữ liệu đã chặn của chúng tôi.

ADbPFPq.png

Sau khi giải mã, dữ liệu dấu vân tay của bạn sẽ trông giống như một cuốn sách mở.
[MÃ SỐ]
{
"vĩ độ": 37.7749,
"múi giờ": 240,
"dấu thời gian": "1689452187394",
"cart_id": "7629384105",
"shop_id": "cf.bstatic.com",
"người giới thiệu": "https://secure.booking.com/",
"href": "https://cf.bstatic.com/static/tag_c...a077563c1795a773c91150dd19adefe98d13fd65.html",
"riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
"color_depth": 24,
"page_id": "9xzp4r",
"cửa hàng": "www.booking.com",
"hardware_concurrency": 8,
"has_touch": đúng,
"lịch sử_chiều dài": 7,
"document_title": "Đặt phòng.com",
"console_error": "console.memory không được xác định",
"battery_error": "Lỗi getBattery()",
"initial_cookie_state_0": "https",
"initial_cookie_state_1": "liên tục",
"trình duyệt": {
"productsub": "20030107",
"is_opr": đúng,
"is_firefox": sai,
"ev_len": 42
},
"hệ điều hành": {
"cpu": "Windows NT 10.0",
"nền tảng": "Win32"
},
"webgl": {
"nhà cung cấp": "Google Inc.",
"trình kết xuất": "GÓC (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
},
"nghị quyết": {
"dpr": 1,5,
"màn hình": 1080,
"màn hình": 1920,
"có sẵn": 1040,
"có sẵn": 1920,
"bên trong": 900,
"bên trong": 1600,
"bên ngoài": 1040,
"bên ngoài": 1920
},
"date_string": "Thứ sáu, ngày 25 tháng 3 năm 2025 14:23:07 GMT-0400 (Giờ ban ngày miền Đông)",
"quốc tế": {
"locale": "en-GB",
"num_sys": "vĩ độ",
"cal": "gregory",
"tz": "Mỹ/New_York"
},
"downlink_error": "navigator.connection không được xác định",
"nav_plu": "Trình cắm PDF của Chrome, Trình xem PDF của Chrome, Máy khách gốc",
"nav_lang": "vi-GB",
"dữ liệu ngôn ngữ trang": {
"page_language": "vi",
"has_translation": đúng
},
"ẩn danh": {
"safari": đúng,
"chrome_quota": 120,
"service_worker_undefined": sai,
"is_brave": đúng
}
}
[/MÃ SỐ]



Sau đó, bạn có thể thực hiện các chỉnh sửa chiến lược để tăng cường các yếu tố tin cậy và phù hợp với hồ sơ mục tiêu của mình:

* Văn bản ẩn: không thể trích dẫn. *


Sau khi thực hiện thay đổi, hãy làm tối nghĩa lại và thay thế dữ liệu trong bảng điều khiển chặn của bạn và CHUYỂN TIẾP yêu cầu.

IQqqtYh.png

Quá trình này liên kết dấu vân tay giả của bạn với cookie của bạn. Hệ thống nghĩ rằng bạn chỉ là một khách hàng hợp pháp khác thay vì là kẻ lừa đảo kỹ thuật số thực sự.

Phần kết luận

Thao túng các hệ thống chống gian lận bằng Burp Suite giống như có một bộ ngụy trang kỹ thuật số. Bạn không chỉ thay đổi diện mạo của mình – bạn đang thay đổi những gì camera an ninh nhìn thấy. Bằng cách đặt Burp giữa trình duyệt của bạn và các hệ thống này, bạn có thể cung cấp cho chúng bất kỳ dấu vân tay nào bạn muốn, thậm chí không cần sử dụng antidetect.

Thành công phụ thuộc vào việc hiểu chính xác những gì các hệ thống này thu thập và cách chúng diễn giải chúng. Phân tích nhật ký Burp của bạn để nghiên cứu các yêu cầu chống gian lận trước khi can thiệp vào chúng. Tìm kiếm các mẫu trong dữ liệu JSON. Bạn càng hiểu rõ những gì họ đang kiểm tra thì bạn càng có thể thao tác chính xác hơn.

Hãy nhớ: sự lừa dối hiệu quả trên mạng không phải là sự vô hình – mà là trông thật bình thường đến nỗi họ không bao giờ nghĩ đến việc phải nhìn lần thứ hai.

Hãy nhớ rằng chúng ta mới chỉ khai thác được bề nổi những gì Burp Suite có thể làm. Công cụ khủng này có hàng chục mô-đun và hàng trăm tính năng mà tôi thậm chí còn chưa đề cập đến - từ quét tự động đến tìm lỗ hổng SQLi đến fuzzing điểm cuối. Đây là một công cụ phức tạp, mang lại phần thưởng cho những ai đầu tư thời gian để thành thạo. Tôi sẽ đề cập đến các kỹ thuật nâng cao hơn trong các hướng dẫn sau.

Hẹn gặp lại sớm. d0ctrine ra mắt.
Nice job
 

amazznn1337

Newbie
Joined
26.10.22
Messages
2
Reaction score
0
Points
1
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
So fucking useful awesome
 

Kekko

Newbie
Joined
04.03.25
Messages
4
Reaction score
0
Points
1
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
Gg
 

iflaholmaz

Newbie
Joined
01.12.24
Messages
20
Reaction score
6
Points
3
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
ty
 

Toxicjesus

Essential
Joined
08.01.25
Messages
13
Reaction score
1
Points
3
View attachment 8294🛠️ Tampering Antifraud Requests using Burp Suite 🛠️

Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.

Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.



Intercepting Requests

See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.

Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.


This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.

Bypassing CVV Requirement via Intercept

One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.

Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.

lH0LEBp.png

The trick is to either remove the CVV field entirely:
Code:
{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}

Or replace it with an empty value:
Code:
{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}

If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.

Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.

Altering Antifraud Request

Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.

Heres what these scripts typically gather:
  • Browser fingerprints (user agent screen resolution, installed fonts)
  • Hardware details (GPU info via WebGL rendering CPU cores)
  • Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
  • Typing rhythm (how fast you enter data, pauses between keystrokes)
  • Whether you're using a headless browser or automation tools (Selenium etc.)


All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.

These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
  • Base64 encode their payloads
  • Use character swapping (like replacing a' with x' and vice versa)
  • Obfuscate their JavaScript code
  • Split data across multiple requests
  • Use custom encoding schemes
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.

Practical Example: Riskified in Booking.com

Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.

First, we need to set up interception rules in Burp Suite:
  1. Go to Proxy > Options > Intercept Client Requests
  2. Add a rule: AND domain name matches c.riskified.com
  3. Disable response interception
UBbyfPX.png

Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:

mp84qwV.png


After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:

c.riskified.com

Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:

nOXNHNL.png

Deobfuscation

Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.

Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:

avqVKui.png

But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.


So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.

ADbPFPq.png

After deobfuscation your fingerprint data appears like an open book.
Code:
{
  "lat": 37.7749,
  "timezone": 240,
  "timestamp": "1689452187394",
  "cart_id": "7629384105",
  "shop_id": "cf.bstatic.com",
  "referrer": "https://secure.booking.com/",
  "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
  "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
  "color_depth": 24,
  "page_id": "9xzp4r",
  "shop": "www.booking.com",
  "hardware_concurrency": 8,
  "has_touch": true,
  "history_length": 7,
  "document_title": "Booking.com",
  "console_error": "console.memory is undefined",
  "battery_error": "Error getBattery()",
  "initial_cookie_state_0": "https",
  "initial_cookie_state_1": "persistent",
  "browser": {
    "productsub": "20030107",
    "is_opr": true,
    "is_firefox": false,
    "ev_len": 42
  },
  "os": {
    "cpu": "Windows NT 10.0",
    "platform": "Win32"
  },
  "webgl": {
    "vendor": "Google Inc.",
    "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
  },
  "resolution": {
    "dpr": 1.5,
    "screenh": 1080,
    "screenw": 1920,
    "availh": 1040,
    "availw": 1920,
    "innerh": 900,
    "innerw": 1600,
    "outerh": 1040,
    "outerw": 1920
  },
  "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
  "intl": {
    "locale": "en-GB",
    "num_sys": "latn",
    "cal": "gregory",
    "tz": "America/New_York"
  },
  "downlink_error": "navigator.connection is undefined",
  "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
  "nav_lang": "en-GB",
  "page_language_data": {
    "page_language": "en",
    "has_translation": true
  },
  "incognito": {
    "safari": true,
    "chrome_quota": 120,
    "service_worker_undefined": false,
    "is_brave": true
  }
}



You can then make strategic edits to boost trust factors and align with your target profile:

* Hidden text: cannot be quoted. *


Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.

IQqqtYh.png

This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.

Conclusion

Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.

Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.

Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.

Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.

See you soon. d0ctrine out.
leg
 
Top Bottom