Request a Demo Contact Us
Attending Black Hat USA 2022? Come visit us to grab swag, hear talks, and see live demos!
Learn more

Turbo Intruder: Abusing HTTP Misfeatures to Accelerate Attacks by James Kettle

 

Automated web application attacks are terminally limited by the number of HTTP requests they can send. It’s impossible to know how many hacks have gone off the rails because you didn’t quite manage to bruteforce a password, missed a race condition, or failed to find a crucial folder. In this session I’ll introduce, demo and distribute Turbo Intruder – a research grade Burp extension built from scratch with speed in mind. Most tools struggle to reach 1,000 HTTPS requests per second (RPS), whereas Turbo Intruder uses a selection of custom HTTP stacks to exceed 30,000 RPS while minimising the chance of your router exploding. It’s also designed to be fully extensible so you can easily launch multi-step attacks and filter responses. As well as showing how to use the tool, I’ll discuss the underlying HTTP abuse that enables it to go so fast, so you can attain similar speeds in any tools you happen to write. Finally, I’ll cover some new research I’m currently pursuing on generating context-aware payloads and automatically identifying interesting responses.

More resources

LevelUp

Finding Hidden Gems in Old Bug Bounty Programs

Learn More
Report

Inside the Mind of a Hacker

Read More
Guide

7 Bug Bounty Myths, BUSTED

Read More

Get Started with Bugcrowd

Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.