Burp Suite Repeater Tool

Comprehensive guide to using Burp Suite's Repeater tool for manual request manipulation and testing

Repeater is one of Burp Suite's core tools, available in both Community and Professional editions. It allows you to manually manipulate and resend individual HTTP and WebSocket requests, providing a powerful environment for testing web application security.

Overview

Purpose and Functionality

Repeater serves as Burp Suite's manual testing environment:

Manually modify and resend HTTP/WebSocket requests
Analyze responses in detail
Test hypotheses about application behavior
Refine payloads before using in automated attacks
Explore application logic and security controls

Unlike automated tools like Scanner or Intruder, Repeater gives you complete control over each request, making it ideal for precise testing and exploration.

Community vs. Professional Edition

The Repeater tool is fully functional in both editions:

Community Edition:

Full request manipulation capabilities
Response analysis features
Multiple request tabs
Basic rendering options

Professional Edition:

All Community features
Enhanced response rendering
Inspector feature for structured data
Better integration with other Professional tools

Unlike some other Burp tools, Repeater has no rate limiting in the Community Edition, making it equally powerful for manual testing in both versions.

Getting Started

Basic Usage

Using Repeater

Send a request to Repeater
- Intercept a request in Proxy
- Right-click and select "Send to Repeater"
- Or select from Proxy history or Site map
Modify the request
- Edit any part of the request (headers, parameters, body)
- Make precise changes to test specific behaviors
Send the request
- Click "Send" to transmit the modified request
- View the response in the right panel
Analyze the response
- Examine status code, headers, and body
- Switch between Raw, Pretty, Headers, Hex, and Render views
- Use search functionality to find specific content
Iterate
- Make further modifications based on the response
- Send again to test different inputs or conditions

Interface Overview

Key Interface Elements

Understanding the Repeater interface:

Request panel (left)
- Raw HTTP request
- Editable text area
- Headers and body sections
Response panel (right)
- Server's response to your request
- Multiple view options
- Status code and timing information
Request list (top)
- Tabs for multiple requests
- Rename, color-code, and organize requests
- Add comments for documentation
Control buttons
- Send: Transmit the current request
- Cancel: Stop a pending request
- Target: Configure target host and port
View options
- Raw: Plain text view
- Pretty: Formatted view with syntax highlighting
- Headers: Tabular view of headers
- Hex: Hexadecimal view for binary data
- Render: Browser-like rendering (limited)

The dual-panel interface makes it easy to see the direct relationship between your modifications and the server's responses.

Inspector Panel (Professional)

The Inspector provides structured editing for complex data:

Accessing Inspector
- Click the "Inspector" button
- Available in Professional Edition only
Request analysis
- Query parameters
- Body parameters
- Cookies
- Headers
Structured editing
- Add, modify, or delete parameters
- Edit values with proper encoding
- Switch between different parameter types
Content-Type handling
- Automatic detection of content types
- Specialized editors for JSON, XML, etc.
- Proper encoding and formatting

The Inspector makes it much easier to work with complex requests containing nested data structures or numerous parameters.

Core Functionality

Request Manipulation

Editing HTTP Requests

Techniques for modifying requests:

Header manipulation
- Add, modify, or remove HTTP headers
- Test for header-based vulnerabilities
- Modify authentication tokens
Parameter manipulation
- Change parameter values
- Add new parameters
- Remove or reorder parameters
Content-Type changes
- Switch between application/x-www-form-urlencoded and multipart/form-data
- Convert between formats (JSON, XML, etc.)
- Test content type validation
HTTP method switching
- Change between GET, POST, PUT, DELETE, etc.
- Test method-based access controls
- Explore REST API functionality
Path manipulation
- Modify URL paths
- Test directory traversal
- Explore path-based access controls

The ability to precisely control every aspect of the request is what makes Repeater such a powerful testing tool.

WebSocket Testing

Working with WebSocket connections:

Capturing WebSocket connections
- Proxy WebSocket traffic
- Right-click and send to Repeater
Message types
- Text messages
- Binary messages
- Control frames
Manipulating messages
- Edit message content
- Send custom messages
- Test WebSocket security controls
Connection management
- Maintain WebSocket connections
- Reconnect when needed
- View connection details

WebSocket testing in Repeater allows you to interact with real-time applications and APIs that use this protocol.

Response Analysis

Response Viewing Options

Different ways to analyze responses:

Raw view
- Complete, unmodified response
- Headers and body together
- Useful for seeing exactly what the server returned
Pretty view
- Syntax highlighting
- Formatted for readability
- Collapsible sections for HTML/JSON/XML
Headers view
- Tabular display of response headers
- Easy to scan for specific headers
- Values displayed in separate column
Hex view
- Hexadecimal representation
- Useful for binary data
- Identifies non-printable characters
Render view
- Browser-like rendering
- Limited JavaScript execution
- Useful for visualizing HTML responses

These different views make it easier to analyze various types of responses and identify security issues.

Search and Compare

Tools for analyzing response content:

Search functionality
- Find text in responses
- Regular expression support
- Case-sensitive options
Highlighting
- Highlight search matches
- Color-code important elements
- Identify patterns across responses
Response comparison (with Comparer)
- Right-click and select "Send to Comparer"
- Compare responses side-by-side
- Identify subtle differences
History
- View previous requests in the same tab
- Compare current response with previous ones
- Track changes over multiple iterations

These analysis features help identify patterns, anomalies, and security issues in application responses.

Advanced Features

Target Configuration

Configuring Request Targets

Control where requests are sent:

Target dialog
- Click "Target" button above request panel
- Set host, port, and protocol
- Configure use of TLS/SSL
Host header handling
- Update Host header automatically
- Override with custom Host header
- Test virtual host routing
Redirections
- Follow redirections automatically
- Set maximum redirection depth
- Control whether to stay in target scope
Connection settings
- Timeout configuration
- Connection reuse options
- Proxy settings

Target configuration allows you to test how applications respond to unusual routing scenarios or when accessed through different entry points.

Request History and Management

Working with multiple requests:

Tab management
- Create multiple tabs for different requests
- Rename tabs for better organization
- Color-code tabs by functionality or vulnerability type
Request history
- Access previous versions of requests in the same tab
- Revert to earlier versions
- Compare changes over time
Comments and annotations
- Add comments to tabs
- Document findings and test cases
- Share context with team members
Tab groups (Professional)
- Organize related requests together
- Create logical groupings
- Manage complex testing scenarios

Effective request management helps organize your testing workflow and document your findings.

Integration with Other Tools

Repeater in the Burp Workflow

How Repeater integrates with other Burp tools:

Proxy to Repeater
- Intercept interesting requests
- Send to Repeater for manual testing
- Refine and explore behavior
Repeater to Intruder
- Develop and test payloads in Repeater
- Send to Intruder for automation
- Use successful attacks as templates
Scanner to Repeater
- Investigate Scanner findings
- Verify vulnerabilities manually
- Explore edge cases and variants
Repeater to Comparer
- Send responses to Comparer
- Analyze differences between responses
- Identify subtle security issues
Decoder integration
- Encode/decode values for testing
- Generate payloads
- Analyze encoded response data

This integration creates a powerful workflow that combines automated scanning with precise manual testing.

Repeater Extensions

Extend Repeater functionality with BApp Store extensions:

Request manipulation extensions
- JWT Editor: Manipulate JSON Web Tokens
- Hackvertor: Advanced encoding/transformation
- Custom Parameter Handler: Automate parameter updates
Response analysis extensions
- JSON Beautifier: Improved JSON formatting
- CSRF Scanner: Test for CSRF vulnerabilities
- JS Miner: Extract endpoints from JavaScript
Specialized testing extensions
- GraphQL Raider: Test GraphQL APIs
- AWS Security Checks: Test AWS implementations
- OAuth Handler: Test OAuth implementations

Extensions can significantly enhance Repeater's capabilities for specific testing scenarios or technologies.

Testing Techniques

Common Testing Scenarios

Injection Vulnerability Testing

Using Repeater to test for injection flaws:

SQL injection
- Modify parameters with SQL syntax
- Look for database errors or behavioral changes
- Test different contexts (string, numeric, etc.)
- Example: Adding ' or 1=1-- to parameters
Cross-site scripting (XSS)
- Insert script tags and JavaScript
- Check if code is reflected in responses
- Test different contexts (HTML, attributes, JavaScript)
- Example: <script>alert(1)</script> or "><img src="x" onerror="alert(1)">
Command injection
- Add shell commands to parameters
- Look for command output in responses
- Test different command separators
- Example: ; ls -la or & whoami
Server-side template injection
- Insert template syntax
- Check for template evaluation
- Test different template engines
- Example: ${7*7} or {{7*7}}

Repeater's manual approach allows for precise crafting of payloads and careful analysis of responses.

Authentication and Authorization Testing

Testing security controls:

Authentication bypass
- Manipulate login requests
- Test for logic flaws
- Try default or weak credentials
Session management
- Modify session tokens
- Test token validation
- Check for session fixation
Access control
- Change user identifiers
- Access resources with different permissions
- Test horizontal and vertical privilege escalation
JWT testing
- Modify JWT claims
- Test signature validation
- Check for algorithm confusion
OAuth and OIDC
- Manipulate OAuth parameters
- Test redirect validation
- Check token handling

Repeater is ideal for testing authentication and authorization because it allows precise control over credentials and tokens.

API Testing

Testing web APIs:

REST API testing
- Modify HTTP methods (GET, POST, PUT, DELETE)
- Test different content types
- Manipulate API parameters
GraphQL testing
- Craft custom queries
- Test query depth and complexity
- Explore schema through introspection
SOAP/XML testing
- Modify XML payloads
- Test XML parsing
- Check for XXE vulnerabilities
JSON manipulation
- Test type confusion
- Inject unexpected values
- Explore nested structures
API security controls
- Test API keys and tokens
- Check rate limiting
- Verify content validation

Repeater's flexibility makes it perfect for testing APIs with different protocols and data formats.

Advanced Testing Methods

Testing for Race Conditions

Identifying time-sensitive vulnerabilities:

Send group in parallel (Professional)
- Select multiple tabs
- Right-click and choose "Send group in parallel"
- Analyze responses for inconsistencies
Manual timing techniques
- Prepare multiple tabs with the same request
- Send them in quick succession
- Look for race condition indicators
Common race condition scenarios
- Account registration
- Resource allocation
- Financial transactions
- File operations
Analysis techniques
- Compare response times
- Look for unexpected successes
- Check for duplicate resource creation

Race condition testing requires careful timing and analysis of how the application handles near-simultaneous requests.

Out-of-Band Testing with Collaborator (Professional)

Testing for vulnerabilities that trigger external interactions:

Burp Collaborator integration
- Right-click and select "Insert Collaborator payload"
- Choose payload type
- Monitor for interactions
Vulnerability types
- Server-Side Request Forgery (SSRF)
- XML External Entity (XXE) injection
- Blind SQL injection
- Blind command injection
Payload placement
- Insert in different request components
- Test various contexts
- Try different encoding techniques
Analysis techniques
- Monitor Collaborator interactions
- Correlate with specific requests
- Analyze interaction types (DNS, HTTP, SMTP)

Out-of-band testing is crucial for detecting vulnerabilities that don't produce immediate, observable results in the application's response.

Best Practices

Effective Testing Workflow

Maximize the effectiveness of your testing:

Methodical approach
- Test one parameter at a time
- Document findings and observations
- Use a consistent testing methodology
Tab organization
- Group related requests
- Use meaningful tab names
- Color-code by functionality or vulnerability type
Payload refinement
- Start with simple tests
- Refine based on responses
- Develop targeted payloads
Response analysis
- Look for subtle differences
- Pay attention to timing
- Consider both positive and negative results
Integration with other tools
- Use Repeater findings to guide automated testing
- Verify automated findings manually
- Combine with other Burp tools for comprehensive testing

A systematic approach ensures thorough testing and helps avoid missing potential vulnerabilities.

Ethical Considerations

Responsible use of Repeater:

Authorization
- Only test applications you own or have permission to test
- Respect scope limitations
- Adhere to responsible disclosure policies
Impact awareness
- Consider the potential impact of your tests
- Avoid destructive testing in production
- Be cautious with sensitive functionality
Data handling
- Respect privacy of discovered data
- Secure and properly dispose of findings
- Report sensitive data exposure responsibly
Legal compliance
- Understand relevant laws and regulations
- Document authorization
- Stay within agreed boundaries

Callout:

Unauthorized testing may violate computer crime laws and could result in civil or criminal penalties.

Troubleshooting

Common Issues and Solutions

Solutions to frequently encountered problems:

Connection errors
- Check target host and port configuration
- Verify network connectivity
- Check for TLS/SSL configuration issues
Unexpected responses
- Verify all required headers are present
- Check for session expiration
- Look for CSRF protection mechanisms
Rendering issues
- Try different view options
- Check for content encoding issues
- Use external tools for complex rendering
Performance problems
- Close unused tabs
- Limit response size
- Increase memory allocation to Burp
Content-Length issues
- Ensure Content-Length header is accurate
- Use "Update Content-Length" option
- Check for chunked transfer encoding