Burp Suite Extension – Turbo Intruder To Perform Security Testing on Web Applications

Turbo Intruder is a Burp Suite extension which is an integrated platform for performing security testing of web applications. It sends many HTTP requests and then analyzes the output results.

It is emphasized as a Burp Intruder because of the phenominal quality of high speed, duration, and complexity.

The following features set it apart:

Fast – Turbo Intruder uses HTTP stack hand-coded from scratch with speed in mind. As a result, on many targets it can seriously outpace even fashionable asynchronous Go scripts.

Scalable – Turbo Intruder can achieve flat memory usage, enabling reliable multi-day attacks. It can also be run in headless environments via the command line.

Flexible – Attacks are configured using Python. This enables handling of complex requirements such as signed requests and multi-step attack sequences. Also, the custom HTTP stack means it can handle malformed requests that break other libraries.

Convenient – Boring results can be automatically filtered out by an advanced diffing algorithm adapted from Backslash Powered Scanner.

On the other hand it’s undeniably harder to use, and the network stack isn’t as reliable and battle-tested as core Burp’s.

How to use Turbo Intruder?

Install Turbo Intruder into Burp Suite using the BApp Store under the Extender tab.

Procedure:

Highlight the area you want to inject over, then right click ‘Send to Turbo Intruder’

You will see a window containing a Python snippet:

You’ll notice that the area of the request that you highlighted has been replaced with ‘%s’ – this is were your payloads will be placed.
To begin with you’ll probably just want to change ‘/usr/share/dict/words’ to a more suitable wordlist. Other than that the default script should work out of the box for simple use cases.

Command line usage:

From time to time, you might find you want to run Turbo Intruder from a server. To support headless use it can be launched directly from the jar, without Burp.

You’ll probably find it easiest to develop your script inside Burp as usual, then save and launch it on the server like so:

java -jar turbo.jar

Example: java -jar turbo.jar resources/examples/basic.py resources/examples/request.txt https://example.net:443 foo

Pricilla

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

21 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

21 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

23 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

1 day ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

1 day ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

2 days ago