(+91) 704-174-0267
[email protected]
My Account
CyberPedia logo
CyberPedia
  • Home
  • About Us
  • Our Course
    • Skilled Based Courses
      • Advanced Course
      • Beginner Course
      • Master Course
    • Job Guarantee
      • Offensive Security Analyst
      • VAPT Consultant Course
      • Cyber Security Analyst Offense Course
    • Certification Course
      • bug bounty course
  • CyberPedia App
  • Our Partners
  • Our Blog
  • Contact
  • Home
  • About Us
  • Our Course
  • CyberPedia App
  • Our Partners
  • Our Blog
  • Contact

Burp 105 : Burp Suite Repeater Guide

Posted on September 10, 2024
No Comments

 

By right-clicking on a request and selecting Send to Repeater or doing so with the Action button in the proxy interception section, you can send requests to the repeater which allows you to modify and resend requests easily.

On the left, you have the request, and if you click Send you will see the response in the middle.

On the right, you have the same Inspector from other tabs which can be used to see information about the request or selected text.

Clicking on the gear next to the Send button opens up the repeater settings for this repeater tab. By default, repeater automatically updates Content-Length, but for attacks like HTTP Request Smuggling where you need to manually manipulate Content-Length, you can disable updating it here. You can also disable BurpSuite automatically unpacking compressed content from responses.

Follow redirections sets the repeater to automatically resubmit requests to the correct location when you receive a redirection, but if you keep this disabled there will be a button to the right of the arrows that allows you to follow the redirection as well. Process cookies in redirections resubmits any cookies set in the redirect response when it follows the redirection target.

Enforce protocol choice on cross-domain redirections sets repeater to use the protocol selected in the request attributes in the inspector to follow any cross-domain redirects. Normally repeater negotiates protocol automatically.

By default, Burp adds a carriage return \r before any newline characters \n. The carriage return line feeds \r\n can be manipulated manually by pressing the \n button on the top right of the request/response section. In the cases where you manipulate these manually, you may want to disable Normalize HTTP/1 line endings for attacks like HTTP Request Smuggling.

Continuing with the repeater settings, Enable HTTP/1 connection reuse and Enable HTTP/2 connection reuse reuses the same TCP connection for multiple requests, which increases speed. This is on by default for HTTP/2 connections, but disabled for HTTP/1.

By default, BurpSuite strips the Connection header from HTTP/2 requests. The Connection header is only used for HTTP/1, so servers are supposed to refuse HTTP/2 requests that use it and treat the request as malformed, though some servers are more lenient. If you want to keep the Connection header you can disable Strip Connection header over HTTP/2.

Allow HTTP/2 ALPN override can be used to test for hidden HTTP/2 support on servers that claim to only accept HTTP/1

One last thing to remember with the repeater tab is to change the target when you are trying to change the host. Sometimes you want to try the same request on a different host, and it’s important to update the target when you do so.

If you want to change from HTTP/1.1 to HTTP/2 you can do that in the Request attributes section of the inspector on the right.

The Burp Suite Repeater Component is a versatile tool that empowers you to manipulate and resend HTTP requests, allowing you to test how your application responds to different inputs. It’s perfect for digging deeper into potential vulnerabilities, fine-tuning your attack methods, and gaining a more thorough understanding of how web applications handle requests.

By mastering Repeater, you’ll add another layer of precision to your security testing toolkit. Its simplicity in use, combined with its powerful features, makes it an essential tool for manual testing.

In our next blog, we’ll take a closer look at Burp Suite’s Intruder Component—a feature designed for automating custom attacks and brute-force testing. Stay tuned as we explore how Intruder can help you take your testing to the next level.

Thank you for reading, and as always, happy testing!

Author

  • Rushik Patel
    Rushik Patel

    View all posts
Previous Post
Burp 104 : Burp Suite Proxy Guide
Next Post
Burp 106: BurpSuite Intruder for Application Security Testing

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Recent Posts

  • Insecure Deserialization Attacks October 14, 2024
  • HTTP Desync Attacks, Also known as HTTP Request Smuggling September 18, 2024
  • A Nerd’s Guide To Cracking CTF Challenges Part-1 September 17, 2024
  • Burp 107: BurpSuite Decoder, Sequencer and Comparer September 13, 2024
  • Burp 106: BurpSuite Intruder for Application Security Testing September 11, 2024

Categories

  • Cloud (2)
  • CTF (1)
  • Red Team (5)
  • Uncategorized (1)
  • Web (9)
Cyber Security Internship and training

Contacts

[email protected]
+91 91046 20267
215-216, 2nd floor, Pushti Sparsh Acade, BRTS Stop, opposite Rathi Apartment, Dharm Nagar II, Sabarmati, Ahmedabad, Gujarat 380005
Facebook
Instagram
YouTube

Quick Links

  • About Us
  • Contact Us
  • Privacy Policy
  • Terms of Service
  • Refund Policy
  • Cancellation Policy
  • Pricing Policy

Download