Home

 

 

Blog

 

Burp suite
About
Screenshots
Help
Download
Professional

 

Burp scanner

 

Burp intruder

 

Burp proxy

 

Books

 

Misc

 

 

RSS

 







Burp Repeater help

Contents

Using Burp Repeater
Options
 

Using Burp Repeater

Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analysing their responses. It is best used in conjunction with the other Burp Suite tools. For example, you can send a request to Repeater from the target site map, from the Burp Proxy browsing history, or from the results of a Burp Intruder attack, and manually adjust the request to fine-tune an attack or probe for vulnerabilities.

When you send a request to Repeater from another tool, that request gets its own tab. Each tab has its own request and response windows, and its own history. The top half of the panel allows you to configure the target host and port, and the details of your request. You can complete this information manually, however when you send a request from another Burp Suite tool the relevant details are all completed for you:

When you have configured a request, click the "go" button to send it to the server. The response is displayed in the bottom half of the display. For both requests and responses, various views of the message are available:

  • raw - This displays the message in plain text form. At the bottom of the text pane is a search and highlight function which can be used to quickly locate interesting strings within the message, such as error messages. An options pop-up on the left of the search bar lets you control case sensitivity, and whether to use simple text or regex search.
  • params - For requests containing parameters (within the URL query string, the Cookie header, or the message body), this tab analyses the parameters into name/value pairs and allows these to be easily viewed and modified.
  • headers - This shows the HTTP headers of the message as name/value pairs, and also displays any message body in raw form.
  • hex - This allows direct editing of the raw binary data that make up the message. Certain types of traffic (e.g. browser requests with MIME-encoded parts) contain binary content that may be corrupted if modified in the text editor. To modify this type of message, the hex editor should be used.
  • HTML / XML - For responses containing content in these formats, this provides a syntax-colourised view of the message body.
  • render - For responses containing HTML or image content, this renders the content in visual form, as it would appear within your browser.
  • AMF - For requests and responses in Action Message Format, this displays a tree view of the decoded message. If editable, you can double-click individual nodes in the tree to modify their values.
  • viewstate - For requests containing an ASP.NET ViewState parameter, this deserialises the contents of the ViewState, enabling you to review the data contained for any sensitive items. It also indicates whether the ViewState MAC option is enabled (and therefore whether the ViewState can be modified).

Right-clicking on any request or response produces a context menu that can be used to perform various actions:

  • send to - You can send any message, or a selected portion of the message, to other tools within Burp Suite, to perform further attacks or analysis.
  • find references - [Pro version only] You can use this function to search all of Burp's tools for HTTP responses which link to the selected item.
  • discover content - [Pro version only] You can use this function to discover content and functionality which is not linked from visible content which you can browse to or spider.
  • schedule task - [Pro version only] You can use this function to create tasks which will run automatically at defined times and intervals.
  • change request method - For requests, you can automatically switch the request method between GET and POST, with all relevant request parameters suitably relocated within the request. This option can be used to quickly test the application's tolerance of parameter location in potentially malicious requests (e.g. cross-site scripting).
  • change body encoding - For requests, you can switch the encoding of any message body between application/x-www-form-urlencoded and multipart/form-data.
  • copy URL - This function copies the full current URL to the clipboard.
  • copy to file - This function allows you to select a file and copy the contents of the message to the file. This is handy for binary content, when copying via the clipboard may cause problems. Copying operates on the selected text or, if nothing is selected, the whole message.
  • paste from file - This function allows you to select a file and paste the contents of the file into the message. This is handy for binary content, when pasting via the clipboard may cause problems. Pasting replaces the selected text or, if nothing is selected, inserts at the cursor position.
  • save item - This function lets you specify a file to save the selected request and response in XML format, including all relevant metadata such as response length, HTTP status code and MIME type.
  • convert selection - These functions enable you to perform quick encoding or decoding of the selected text in a variety of schemes.
  • URL-encode as you type - If this option is turned on then characters like & and = will be automatically replaced with their URL-encoded equivalents as you type.

You can use the "<" and ">" buttons to browse back and forwards through the request history for the current tab, and modify and reissue any individual request, as necessary.

Options

The "repeater" menu controls aspects of Burp Repeater's behaviour.

You can create a new blank tab, delete an existing tab, or rename a tab's caption to help you keep track of your work.

If the "update Content-Length header" box is checked, then Burp Repeater will update the Content-Length header of each request (or add the header if necessary), with the correct value for the length of the HTTP body of that particular request. This feature is useful where the HTTP body has been manually modified, and so may have changed length. The HTTP specification, and most web servers, require the correct value for the length of the HTTP body to be specified using the Content-Length header. If the correct value is not specified, then the target server may return an error, may respond to an incomplete request, or may wait indefinitely for further data to be received in the request.

If the "unpack gzip / deflate" box is checked, then Burp Repeater will decompress gzip- and deflate-compressed content before displaying it.

The redirect settings control whether Burp Repeater will follow HTTP redirects (i.e. those with a 3xx status code and a Location header containing a new URL). The following options are available:

  • Never - Repeater will not follow any redirects.
  • On-site only - Repeater will only follow redirects to the same web "site", i.e. to URLs employing the same host, port and protocol as was used in the original request.
  • In-scope only - Repeater will only follow to URLs that are within the Suite-wide target scope (defined in the "target" tab).
  • Always - Repeater will follow redirects to any URL whatsoever. You should use this option with caution - occasionally, web applications relay your request parameters in redirections to third-party web sites, and by following redirects you may inadvertently attack an application that you do not intend to.

When Repeater receives a redirect that is is configured to follow, it will request the redirection URL (following up to 10 redirections if necessary, after which it stops so as to avoid infinite loops). The response from the redirection URL is then displayed in the response panel. The status message will indicate if a redirection was followed, and if so how many.

The option to follow redirects is often useful when an application returns a 3xx response to various kinds of input, with the more interesting features of the application's processing of your request being returned when the redirection target is requested. For example, when probing for common vulnerabilities, the application may frequently return a redirect to an error page - this page may contain useful information about the nature of the error which can be used to diagnose bugs like SQL injection.

If the "process cookies in redirects" option is selected, then any cookies set in the 3xx response will be resubmitted if a redirects to the same domain is followed.

The "action" sub-menu contains the same context-menu items as are available by right-clicking the request or response panels.

 

Copyright (c) 2010 PortSwigger Ltd. All rights reserved. Email us.