Turbo Intruder - Burp Extensions Series

This is a part 2 of a series that explores and showcases Burp Extensions that help our team when performing Web Application Assessment to be more efficient. In this post, we will be showcasing Turbo Intruder.

Turbo Intruder is another great burp suite extension that can send a large number of requests at exceptional speeds. Turbo Intruder can be used to exploit a variety of attacks like race conditions and also compliments other extensions like HTTP Request Smuggler (stay tuned for part 3!).

Turbo Intruder is really flexible because it allows us to run and store python scripts to automate attacks. Burp offers the Turbo Intruder extension for free which is authored by James Kettle, you can find the extension's source code on Github.
Image

Example

To showcase the plugin we will be using the ACID Flag Bank challenge from 247ctf will be used. Just a quick note, Spoilers are ahead so if you want to try the challenge before continuing now is the best time to do that!

Challenge explanation - Spoilers
This challenge is a basic banking system where users can transfer money from two accounts with the intent of buying the flag. The flag costs 248 points, but the bank only has 247 points on both accounts. By analysing the code we can easily understand that the application is vulnerable to a race condition since the functions used to transfer money are not thread-safe (does not use locks and mutexes). Before continuing, let's explain what a race condition is.

A race condition is a condition of a program where its behaviour depends on the relative timing or interleaving of multiple threads or processes.  One or more possible outcomes may be undesirable, resulting in a bug. We refer to this kind of behaviour as nondeterministic.

Back to the challenge, using the dump get parameter we can view all funds in the two accounts we control.
Image

 Specifying the from , to and amout get parameters we can transfer points to and from accounts.

Image

Using the flag get parameter and by also specifying the account with the from get parameter we can attempt to buy a flag unsuccessfully due to insufficient funds.

Image

Turbo Intruder

Now let's explain how turbo intruder can be used in such instances to exploit race condition vulnerabilities.

Once the request is captured, in the same manner as other burp extensions, you can right-click the request, navigate to Extensions > Turbo Intruder > Send to intruder as it is shown in the following screenshot. 
Image
This gives us the request in the top window pane and the python code editor at the bottom. Using the code editor we can edit how burp handles the turbo intruder. There are a bunch of default scripts already written. By selecting the drop-down box you can choose from various attack scenario scripts.

In this particular case, the race.py script is used which loads all the requests in memory and sends them at the same time with the attempt to trigger the race condition. The script was slightly modified to return a req.status 200.
Image

Checking our challenge funds again we can see an extra 50 points have been added to one of our accounts! We now are able to buy the flag!

Image

This only covered one small instance of Turbo Intruders usage, for more information please check https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack

Work with us

Learn more about us or
Book an online appointment!

Image

Next level IT infrastructure
& Security services.

© 2023, QSecure
Image

Next level IT infrastructure
& Security services.

© 2023, QSecure

Head Office

109 Prodromou Str. (Office 101),
2064, Strovolos Nicosia, Cyprus

Contact Info

info@qsecure.com.cy
Ph: (+357) 22 028014

Head Office

109 Prodromou Str. (Office 101),
2064, Strovolos Nicosia, Cyprus

Contact Info

info@qsecure.com.cy
Ph: (+357) 22 028014
Follow Us -