Carder.life - FAQ: Tampering antifraud requests using Burp Suite (2025)

<div id="post_message_796316">

Lots of people have been requesting me for some time now some more guides on how to use <font color="#00BFFF">Burp</font>. So I figured Id finally cave and drop some knowledge on one of the most <font color="#00FF00">powerful tools</font> in your digital arsenal.<br/>
<br/>
<font color="#00BFFF">Burp</font> is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check <font color="#FF8C00">vulnerabilities</font> find hidden endpoints, manipulate web traffic and fuck with those <font color="#FF4500">pesky antifraud systems</font> blocking your cards. When you know what you're doing, the possibilities are extensive.<br/>
<br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/QFp7MYS9/image.png"/></div><br/>
<font size="5"><font color="#f4a460">Intercepting Requests</font></font><br/>
See when you browse any website, there's a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.<br/>
<br/>
<font color="#00BFFF">Burp Suite</font> plants itself right in the middle of this conversation as a <font color="#FF8C00">proxy</font>. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.<br/>
<br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/MxYQT9nV/image.png"/></div><br/>
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden <font color="#FF4500">antifraud systems</font> like <a href="https://stripe.com/radar" target="_blank">Stripe Radar</a> or <a href="https://www.forter.com/" target="_blank">Forter</a> that analyze whether you're legitimate or some <font color="#FF4500">bot-using scammer</font>. With <font color="#00BFFF">Burp</font>, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.<br/>
<br/>
<font color="#f4a460"><font size="5">Bypassing CVV Requirement via Intercept</font></font><br/>
One common application of <font color="#00BFFF">Burp</font> especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why <font color="#00BFFF">Burp</font> became such a valuable tool.<br/>
<br/>
Here's the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using <font color="#00BFFF">Burp's</font> Intercept feature you can catch this request before it reaches the server and edit that shit however you want.<br/>
<br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/sJmrf9ry/image.png"/></div><br/>
The trick is to either remove the CVV field entirely:<br/>
<div style="margin:20px; margin-top:5px">
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 34px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">{"card_number":"4111111111111111","expiry": "12/25""billing_zip":"10001"}</pre>
</div>Or replace it with an empty value:<br/>
<div style="margin:20px; margin-top:5px">
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 34px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">{"card_number":"4111111111111111","expiry": "12/25""cvv":"","billing_zip":"10001"}</pre>
</div>If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.<br/>
<br/>
Other major retailers have similar <font color="#FF8C00">vulnerabilities</font> that Binners exploit to use their generated cards without any CVVs.<br/>
<br/>
<font color="#f4a460"><font size="5">Altering Antifraud Request</font></font><br/>
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are <font color="#FF4500">sneaky motherfuckers</font>. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.<br/>
<br/>
Here's what these scripts typically gather:<ul><li><font color="#FF8C00">Browser fingerprints</font> (user agent screen resolution, installed fonts)</li>
<li><font color="#FF8C00">Hardware details</font> (GPU info via WebGL rendering CPU cores)</li>
<li><font color="#FF8C00">Mouse movements</font> and click patterns (speed, jitter natural vs. bot-like paths)</li>
<li><font color="#FF8C00">Typing rhythm</font> (how fast you enter data, pauses between keystrokes)</li>
<li>Whether you're using a <font color="#FF8C00">headless browser</font> or automation tools (Selenium etc.)</li>
</ul><br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/39qJfH6G/image.png"/></div><br/>
All this data gets packaged and sent to their servers (like m.stripe.com for <font color="#00BFFF">Stripe</font> or forter.com endpoints) where AI systems decide if you're legit or sketchy.<br/>
<br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/xqysnmHF/image.png"/></div><br/>
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:<ul><li><font color="#FF8C00">Base64 encode</font> their payloads</li>
<li>Use <font color="#FF8C00">character swapping</font> (like replacing a' with x' and vice versa)</li>
<li><font color="#FF8C00">Obfuscate</font> their JavaScript code</li>
<li>Split data across <font color="#FF8C00">multiple requests</font></li>
<li>Use <font color="#FF8C00">custom encoding schemes</font></li>
</ul>But here's the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.<br/>
<br/>
<font color="#f4a460"><font size="5">Practical Example: Riskified in Booking.com</font></font><br/>
Lets get our hands dirty with <a href="https://www.riskified.com/" target="_blank">Riskified</a>, one of the more <font color="#FF4500">notorious fraud prevention systems</font> that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.<br/>
<br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/fG43mMKk/image.png"/></div><br/>
First, we need to set up interception rules in <font color="#00BFFF">Burp Suite</font>:<ol style="list-style-type: decimal"><li>Go to Proxy > Options > Intercept Client Requests</li>
<li>Add a rule: AND domain name matches c.riskified.com</li>
<li>Disable response interception</li>
</ol><br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/cSLPWXcM/image.png"/></div><br/>
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:<br/>
<br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/VY1gH4H9/image.png"/></div><br/>
<b><font color="#FFFF00"><a href="https://beacon.riskified.com/" target="_blank">https://beacon.riskified.com/</a></font></b><br/>
After connecting here, it downloads the JS needed to fingerprint your system. This isn't casual data collection – it's a full digital cavity search that attempts to send everything about you to:<br/>
<font color="#FFFF00">c.riskified.com</font><br/>
Since we've set up interception the fingerprint won't be sent to <font color="#00BFFF">Riskifieds</font> servers. If you check the HTTP logs panel, you'll see it trying to send an <font color="#FF8C00">obfuscated payload</font> containing your digital DNA:<br/>
<br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/G4zKvv4n/image.png"/></div><br/>
<font size="5"><font color="#f4a460">Deobfuscation</font></font><br/>
Anti-fraud sites obfuscate your fingerprint because if they didn't tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.<br/>
<br/>
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:<br/>
<br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/TqcGZZZh/image.png"/></div><br/>
After deobfuscation your fingerprint data appears like an open book.<br/>
<div style="margin:20px; margin-top:5px">
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 498px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">{
"lat": 37.7749,
"timezone": 240,
"timestamp": "1689452187394",
"cart_id": "7629384105",
"shop_id": "cf.bstatic.com",
"referrer": "https://secure.booking.com/",
"href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html",
"riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
"color_depth": 24,
"page_id": "9xzp4r",
"shop": "www.booking.com",
"hardware_concurrency": 8,
"has_touch": true,
"history_length": 7,
"document_title": "Booking.com",
"console_error": "console.memory is undefined",
"battery_error": "Error getBattery()",
"initial_cookie_state_0": "https",
"initial_cookie_state_1": "persistent",
"browser": {
"productsub": "20030107",
"is_opr": true,
"is_firefox": false,
"ev_len": 42
},
"os": {
"cpu": "Windows NT 10.0",
"platform": "Win32"
},
"webgl": {
"vendor": "Google Inc.",
"renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
},
"resolution": {
"dpr": 1.5,
"screenh": 1080,
"screenw": 1920,
"availh": 1040,
"availw": 1920,
"innerh": 900,
"innerw": 1600,
"outerh": 1040,
"outerw": 1920
},
"date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)",
"intl": {
"locale": "en-GB",
"num_sys": "latn",
"cal": "gregory",
"tz": "America/New_York"
},
"downlink_error": "navigator.connection is undefined",
"nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client",
"nav_lang": "en-GB",
"page_language_data": {
"page_language": "en",
"has_translation": true
},
"incognito": {
"safari": true,
"chrome_quota": 120,
"service_worker_undefined": false,
"is_brave": true
}
}</pre>
</div>You can then make strategic edits to boost <font color="#00FF00">trust factors</font> and align with your target profile which I will cover in the future too, but it shouldn't be that hard to know which things to alter. Just look at the data and use your gigabrain.<br/>
<br/>
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.<br/>
<br/>
<div align="center"><img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/WvbSXj4T/image.png"/></div><br/>
This process links your fabricated fingerprint to your cookie. The system thinks you're just another <font color="#00FF00">legitimate customer</font> instead of the digital con artist you truly are.<br/>
<br/>
<font size="5"><font color="#f4a460">Conclusion</font></font><br/>
Manipulating antifraud systems with <font color="#00BFFF">Burp Suite</font> is like having a digital disguise kit. You're not just changing how you look – you're altering what the security cameras see. By positioning <font color="#00BFFF">Burp</font> between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect. <br/>
<br/>
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your <font color="#00BFFF">Burp</font> logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.<br/>
<br/>
Remember: effective digital deception isn't about invisibility – it's about looking so normal they never think to look twice.<br/>
<br/>
Keep in mind we have barely scratched the surface of what <a href="https://portswigger.net/burp" target="_blank">Burp Suite</a> can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.<br/>
<br/>
See you soon. <img alt="" border="0" class="inlineimg" src="images/smilies/yoba.png" title="Yoba"/>
</div>