search

PortSwigger / turbo-intruder

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
https://portswigger.net/blog/turbo-intruder-embracing-the-billion-request-attack
Apache License 2.0
1.51k stars 215 forks source link

Turbo Intruder freezing Burp v2023.3.3 on OS X #128

Closed Tib3rius closed 1 year ago

Tib3rius commented 1 year ago

Not sure if this is an issue with Burp or Turbo Intruder, or just OS X. Turbo Intruder is practically un-usable for me. It will load ok, and the configuration window works fine, but as soon as an attack starts, the entire Burp interface (including Turbo Intruder) freezes and I'm forced to forcibly exit Burp entirely.

This happens in both the main extension and when attempting to exploit HTTP Request Smuggling findings.

This probably isn't the most helpful bug report but if you want me to try anything and report back, lmk.

Tib3rius commented 1 year ago

Small update. It seems to be working ok when I use the 2023.3.3 community edition of Burp on the same machine, which is interesting. I'll try unloading everything but Turbo Intruder in Pro and see if that fixes anything.

Tib3rius commented 1 year ago

Ok, yeah it works if it's the only extension enabled in Pro. I'll close this issue and see if I can figure out what is interfering with it.

albinowax commented 1 year ago

Interesting, let me know if you find out which extension is responsible. My best guess would be something that messes with the UI, like Sharpener.

HsinTsao commented 1 year ago

I have the same problem, and the entire Burp interface (including Turbo Intruder) will freeze when it starts attack. OS: MAC Brup: Pro v2023.5.3 Turbo Intruber: v 1.3.0

Similarly, it works if it's the only extension enabled in Pro.

I tried checking for conflicting plugins, and I found out that when turbo intruder works with jwt editor, this problem occurs.

I think the conflict occurs when other plugins handle the responses generated by turbo intruder attacks.

turbo intruder is great plugin, hope the team can help with this bugs

albinowax commented 1 year ago

Thanks for the info, I'll reopen this until we get it fixed.

albinowax commented 1 year ago

Summary: If you run Turbo Intruder on a request that contains a JWT, and the JWT Editor extension is installed, it causes a full UI deadlock. You can replicate the issue with the default turbo script, and this lab (you need to log in): https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature

Hannah-PortSwigger commented 1 year ago

v1.32 is now released.