Turbo Intruder - Burp Extensions Series
![Image](/images/2022/06/14/xturbo-intruder-1.png.pagespeed.ic.QfgqPCk2Lt.png)
Example
To showcase the plugin we will be using the ACID Flag Bank
challenge from 247ctf will be used. Just a quick note, Spoilers are ahead so if you want to try the challenge before continuing now is the best time to do that!
Challenge explanation - Spoilers
dump
get parameter we can view all funds in the two accounts we control.![Image](/images/2022/06/14/xturbo-intruder-2.png.pagespeed.ic.xsaCNmqCdh.png)
Specifying the from
, to
and amout
get parameters we can transfer points to and from accounts.
![Image](/images/2022/06/14/xturbo-intruder-3.png.pagespeed.ic.SC31hEiDj5.png)
Using the flag
get parameter and by also specifying the account with the from
get parameter we can attempt to buy a flag unsuccessfully due to insufficient funds.
![Image](/images/2022/06/14/xturbo-intruder-4.png.pagespeed.ic.SbUa-tpqiI.png)
Turbo Intruder
![Image](/images/2022/06/14/xturbo-intruder-5.png.pagespeed.ic.z9GyRb3SKk.png)
req.status
200.![Image](/images/2022/06/14/xturbo-intruder-6.png.pagespeed.ic.74UyphLxed.png)
Checking our challenge funds again we can see an extra 50 points have been added to one of our accounts! We now are able to buy the flag!
![Image](/images/2022/06/14/xturbo-intruder-7.png.pagespeed.ic.TDjPg_uIal.png)
This only covered one small instance of Turbo Intruders usage, for more information please check https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack