One of these features of Burp Suite is Repeater. Burp (Request) Repeater is a tool that lets you modify and resend any HTTP or WebSocket message over and over again.
You can use Burp Repeater for many purposes, such as:
- Testing for input-based vulnerabilities by changing parameter values in a request.
- Testing for vulnerabilities in multistep processes or connection state by sending a series of requests in a specific order.
- Verifying issues reported by Burp Scanner by manually sending the same request with or without modifications.
- Experimenting with different payloads and techniques to exploit vulnerabilities.
In this guide, we will show you how to use Repeater tab to test and find bugs in web applications.
Sending requests to Burp Repeater
To use Burp Repeater, you need to send a request that you want to modify and resend. You can send requests to Burp Repeater from different sources, such as:
- Proxy tab: shows all the web traffic that passes through Burp Suite.
- Target tab: shows the structure and content of the web applications that you have visited through Burp Suite.
- Scanner tab: shows the results of automated vulnerability scans performed by Burp Suite.
- Intruder tab: shows the results of automated attacks performed by Burp Suite.
- Repeater tab: shows all the tabs that you have opened in Burp Repeater.
You can right-click on any request or response in the HTTP history or intercept sub-tabs and select Send to Repeater. This will open a new tab in Burp Repeater with the selected message.
Working with HTTP requests in Burp Repeater
Once you have sent a request to Burp Repeater, you can start working with it. You can see the request and response messages in two panels.
HTTP request panel
You can modify the request message in the top panel by editing the text or using the context menu options. For example, you can:
- Change the HTTP method, URL, protocol, headers, or body of the request.
- Encode or decode the request using different formats, such as URL, HTML, Base64, etc.
- Add or remove parameters from the request using the Add/Remove Parameter option.
- Add or remove cookies from the request using the Add/Remove Cookie option.
- Add or remove headers from the request using the Add/Remove Header option.
- Add or remove authorization credentials from the request using the Add/Remove Authorization option.
You can also use keyboard shortcuts to perform common actions, such as:
Ctrl + R
: Send the current request to (new) Repeater.
Ctrl + Space
: Send the current request and receive a response.
Ctrl + Shift + R
:
Switch to repeater.
You can switch between different views of the response using the tabs at the bottom of the panel. For example, you can:
- See the raw response in the Raw tab. (
Alt + 1
)
- See a parsed view of the response headers and body in the Params tab. (
Alt + 2
)
- See a rendered view of the response in the Render tab. This can be useful for testing for XSS vulnerabilities or viewing HTML pages. (
Alt + 3
)
- See a hex view of the response in the Hex tab. This can be useful for viewing binary data or non-textual content. (
Alt + 4
)
You can switch between different views of the response using the tabs at the bottom of the panel. For example, you can:
- See the raw response in the Raw tab. (
Alt + 1
)
- See a parsed view of the response opcode and payload in the Parsed tab. (
Alt + 2
)
- See a hex view of the response in the Hex tab. (
Alt + 3
)
Intercept WebSocket requests
Burp Repeater also supports WebSocket messages. WebSocket is a protocol that allows bidirectional communication between a web browser and a web server. It is often used for real-time applications, such as chat, games, or notifications.
Once you have enabled WebSocket interception, you can send WebSocket messages to Burp Repeater from
The Proxy > WebSockets history sub-tab: This sub-tab shows all the WebSocket messages that have passed through Burp Suite. You can right-click on any message and select Send to Repeater. This will open a new tab in Burp Repeater with the selected message.
The main difference between HTTP and WebSocket messages is that WebSocket messages have an opcode instead of a method. The opcode is a number between 0
and 15
that indicates the type and purpose of the message. You can find more details about the opcodes in RFC 6455.
Configuring Burp Repeater settings
Configuring Burp Repeater settings can help you fine-tune your testing and customize your user experience. To access these settings, go to the Repeater > Settings Windows.
Repeater Settings
Some of the settings that you can configure are:
- Connection timeout: The time in milliseconds that a Burp Repeater will wait for a connection to be established before giving up.
- Socket timeout: The time in milliseconds that the Burp Repeater will wait for a response from the server before giving up.
- Follow redirections: Whether Burp Repeater will automatically follow HTTP redirections (status codes 3xx) or not.
- Unpack GZIP/deflate responses: Whether Burp Repeater will automatically decompress responses that are compressed using GZIP or deflate encoding or not.
You can also configure some tab-specific settings by right-clicking on any tab and selecting Tab settings. This will open a new window where you can change the following settings for the selected tab:
- Host: The host name or IP address of the server to connect to.
- Port: The port number of the server to connect to.
- Protocol: The protocol to use for the connection: HTTP, HTTPS, WS, or WSS.
Conclusion
Burp Repeater is a powerful tool that enables you to manually manipulate and replay web requests and responses. It can help you discover and exploit vulnerabilities in web applications that require fine-grained control and precision.
We hope you have enjoyed this guide and learned something new. Be ethical and happy hacking!