• Stars
    star
    1,112
  • Rank 41,754 (Top 0.9 %)
  • Language
    Kotlin
  • License
    Apache License 2.0
  • Created almost 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.

Turbo Intruder

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. It's intended to complement Burp Intruder by handling attacks that require exceptional speed, duration, or complexity. The following features set it apart:

  • Fast - Turbo Intruder uses a HTTP stack hand-coded from scratch with speed in mind. As a result, on many targets it can seriously outpace even fashionable asynchronous Go scripts.
  • Scalable - Turbo Intruder can achieve flat memory usage, enabling reliable multi-day attacks. It can also be run in headless environments via the command line.
  • Flexible - Attacks are configured using Python. This enables handling of complex requirements such as signed requests and multi-step attack sequences. Also, the custom HTTP stack means it can handle malformed requests that break other libraries.
  • Convenient - Boring results can be automatically filtered out by an advanced diffing algorithm adapted from Backslash Powered Scanner. This means you can launch an attack and obtain useful results in two clicks.

On the other hand it's undeniably harder to use, and the network stack isn't as reliable and battle-tested as core Burp's. As this is a tool for advanced users only I am not going to provide personal support to anyone having trouble using it. Also I should mention it's designed for sending lots of requests to a single host. If you want to send a single request to a lot of hosts, I recommend ZGrab.

Documentation

To get started with Turbo Intruder, please refer to the video and documentation at https://portswigger.net/blog/turbo-intruder-embracing-the-billion-request-attack

Development

Build using:

Linux: ./gradlew build fatjar

Windows: gradlew.bat build fatjar

Grab the output from build/libs/turbo-intruder-all.jar

More Repositories

1

param-miner

Java
1,001
star
2

http-request-smuggler

Java
950
star
3

backslash-powered-scanner

Finds unknown classes of injection vulnerabilities
Java
626
star
4

xss-cheatsheet-data

This repository contains all the XSS cheatsheet data to allow contributions from the community.
397
star
5

collaborator-everywhere

A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
Java
395
star
6

hackability

Probe a rendering engine for vulnerabilities and other features
JavaScript
366
star
7

BChecks

BChecks collection for Burp Suite Professional
320
star
8

bypass-bot-detection

Burp Suite extension that mutates ciphers to bypass TLS-fingerprint based bot detection
Java
186
star
9

dastardly-github-action

Runs a scan using Dastardly by Burp Suite against a target site and creates a JUnit XML report for the scan on completion.
Dockerfile
126
star
10

portable-data-exfiltration

This repo contains all the injections mentioned in my talk and enumerators.
JavaScript
87
star
11

distribute-damage

Evenly distributes scanner load across targets
Java
80
star
12

httpoxy-scanner

A Burp Suite extension that checks for the HTTPoxy vulnerability.
Java
76
star
13

replicator

Burp extension to help developers replicate findings from pen tests
Java
64
star
14

burp-extensions-montoya-api

Burp Extensions Api
Java
64
star
15

burp-extender-api

Burp Wiener API (Legacy)
Java
54
star
16

python-scripter

Sourced from gist: https://gist.github.com/mwielgoszewski/7026954
Python
51
star
17

css-exfiltration

HTML
46
star
18

serialization-examples

Java
33
star
19

aws-security-checks

AWS Security Checks
Python
31
star
20

example-hello-world

Java
31
star
21

burp-extensions-montoya-api-examples

Examples for using the Montoya API with Burp Suite
Java
20
star
22

example-intruder-payloads

Java
19
star
23

example-scanner-checks

Java
18
star
24

reflected-parameters

Java
18
star
25

nice-script

A JavaScript sandbox using proxies
JavaScript
17
star
26

custom-logger

Java
16
star
27

example-custom-editor-tab

Java
15
star
28

example-event-listeners

Java
15
star
29

bseept

Burp Suite Enterprise Edition Power Tools
Python
13
star
30

research-labs

This repository contains a number of insecure self-hosted applications that allows interested security engineers to test vulnerabilities found by Portswigger Research team.
TypeScript
13
star
31

3d-css-tutorial

HTML
12
star
32

example-custom-scan-insertion-points

Java
12
star
33

waf-detect

Burp app (BApp) for detecting WAF fingerprints
Java
8
star
34

enterprise-reference-stack-for-aws

Smarty
7
star
35

viewstate-editor

Burp extension to add a view state tab to the message editor
Java
6
star
36

random-ip-address-header

Java
5
star
37

html5-auditor

Java
5
star
38

certsquirt

A golang PKI in less than 1000 lines of code.
Go
3
star
39

example-custom-session-tokens

Java
2
star
40

example-custom-logger

Java
2
star
41

manual-scan-issues

Java
2
star
42

websphere-portlet-state-decoder

Python
1
star
43

burp-jenkins-integration

Enterprise integration with Jenkins
Java
1
star
44

open-day

1
star
45

enterprise-helm-charts

Helm charts for BSEE Kubernetes installation.
Smarty
1
star