search

PortSwigger / turbo-intruder

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
https://portswigger.net/blog/turbo-intruder-embracing-the-billion-request-attack
Apache License 2.0
1.47k stars 207 forks source link

Attack continues to run after halt #137

Closed austinbentlee closed 1 year ago

austinbentlee commented 1 year ago

Hello,

The following script continues to run after halting:

import time

def queueRequests(target, wordlists):
    for a in range(0, 100):
        time.sleep(1)
        print("Proof of concept: " + str(a))

def handleResponse(req, interesting):
    pass

Is it possible to un-load the Jython engine once the "halt" button is pressed? Or, alternatively, could we receive an API call to determine if the attack has been halted?

PS: The reason why I'm wanting to do blocking behavior inside of the queueRequests() function is because I'm trying to perform a race condition multiple times. If there is a better way of doing this, I'd be open to hearing about it.

albinowax commented 1 year ago

You can query engine.engine.attackState.get() to see if the attack is cancelled. However this usually isn't necessary because Turbo automatically checks this before it sends every request.

A better approach for blocking behaviour would be to use req.engine.queue() inside the handleResponse callback.