Day 027 #FromZeroToHacker – Burp Suite Repeater

After covering the Basics of Burp Suite, it is time to dive into one of the more important modules of the framework: The Burp Suite Repeater module.

Time to learn all we can do in today’s #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Burp Suite

Developed by PortSwigger, Burp Suite is a set of tools used for penetration testing of web applications. Not only is A set of tools but THE set of tools used for and against hacking.

What is Repeater?

Burp Suite Repeater allows us to craft and/or relay intercepted requests to a target at will: We can take a request from the Proxy module, edit it and send the same requests as many times as we wish.

This ability to edit and resend the same request multiple times makes Repeater ideal for any kind of manual “poking around” at an endpoint.

Burp Suite Repeater interface

We can see 6 main sections:

  1. A list of Repeater requests. Not only we can have one, but many at the same time.
  2. Controls for the current request. We can send or cancel a request, and go forward and backwards in the history.
  3. The Request and Response view. We edit the requests in the Request view, then press send. Immediately, we’ll get the Response in the Response view.
  4. Layout options: Side-by-side, vertical or in separate tabs.
  5. The inspector breaks requests apart to analyse and edit them in a more intuitive way compared to the raw editor.
  6. Target, displaying the IP address to which we are sending requests.

Basic Usage

While we can craft requests by hand, it would be easier to just capture a request in the Proxy module, send that through to Repeater, and then edit the request to finally resend it.

With a captured request in the proxy, we can send it to Repeater by either right-clicking on the request choosing Send to Repeater, or pressing Control + R.

Burp Suite Repeater

The Repeater’s request section has information, but not the response. If we click on Send, the Response section populates:

Burp Suite Repeat Response

We can change anything in the Request and then click Send again. This will generate a different Response this time. For example, if we change the Connection from close to open, the Connection header will change to keep-alive.

Keep Alive

Views

We have various ways to present the responses in our requests: From hex output to a fully rendered version of the page. In the response view, we find:

Response Views

Our four options explained:

  1. Pretty: The default option. It takes the raw response and attempts to prettify it.
  2. Raw: The pure, un-prettified response from the server.
  3. Hex: This takes the raw response to give us a byte view of it.
  4. Render: This renders the page as it would appear in our browser.

Normally, the Pretty option is the best, however, we may need the other 3 options in some instances.

![[day_027_views_options.png]]

View options

Under the view buttons, we have 3 buttons:

  1. Enable/Disable line wrapping, where if it is enabled it will fit the code to the width of the window.
  2. Show non-printable characters, that allows us to view the end of each line with the carriage return and newline (\r\n).
  3. Message actions, the same menu we have when we right-click a request on the Proxy Intercept section.

Inspector

The Inspector section is a supplement to the Request and Response views of the Repeater window.

Burp Suite Repeater Inspector

We can change the values on the Request/Response view, but this offers us a prettified version of all the data. Request sections can be always altered by adding, editing or deleting items.

The sections available to us are:

  • Request attributes, where we can change the protocol (HTTP/1 or HTTP2), the method (GET, POST, etc.) and the path.
  • Query parameters, which refer to data being sent to the server in the URL.
  • Body parameters, the same as Query parameters but for POST requests.
  • Request cookies, as you may expect, contain the cookies being sent in each request.
  • Request headers allow us to view, access and modify any headers being sent.
  • Response headers show us the headers that the server sent back in response to our request. Obviously, these can’t be edited as we don’t control (yet!) the server.

Summary

Time for a recap. We have learned about:

  • What is Repeater
  • Basic usage
  • Views and Inspector sections

Stats

From 139.010th to 137.924th. Now I am in the top 7% in TryHackMe!

Here is also the Skill Matrix:

Skill Matrix

Resources

Path: Web Fundamentals

Introduction to Web Hacking

TryHackMe: Burp Suite Repeater

Other resources

PortSwigger: Burp Repeater
Video: Burp for Beginners: How to use Repeater