Burp Repeater options
Last updated: May 17, 2022
Read time: 2 Minutes
The Repeater menu controls aspects of Burp Repeater's behavior. The following options are available:
- Update Content-Length - This option controls whether Burp automatically updates the Content-Length header of the request where necessary. Using this option is normally essential when the request message contains a body.
- Unpack GZIP / deflate - This option controls whether Burp automatically unpacks GZIP- and deflate-compressed content received in responses.
- Follow redirections - This setting controls whether redirection responses are automatically followed. If Repeater receives a redirection response which it is not configured to follow automatically, it will display a Follow redirection button near to the top of the UI. This allows you to manually follow the redirection after viewing it. This feature is useful for walking through each request and response in a redirection sequence. New cookies will be processed in these manual redirections if this option has been set in the Process cookies in redirections option described below.
- Process cookies in redirections - If this option is selected, then any cookies set in the redirection response will be resubmitted when the redirection target is followed.
- Enforce protocol choice on cross-domain redirections - By default, Repeater will negotiate the protocol as normal when redirected cross-domain. If you enable this option, it will follow any cross-domain redirections using the same protocol that is selected under Inspector > Request Attributes. This is important when testing for HTTP/2-specific vulnerabilities that trigger cross-domain requests.
Normalize HTTP/1 line endings - By default, Repeater will normalize HTTP/1 line endings by automatically appending a newline character (
\n) to any lines that end with a standalone carriage return (
\r). This reduces the risk of accidentally sending an invalid request. You might want to disable this feature when testing for certain vulnerabilities, such as request smuggling, where you may have intentionally omitted the newline.
- Enable HTTP/2 connection reuse - By default, Repeater reuses the same connection for multiple HTTP/2 requests. You may want to disable this feature in cases where the server treats the first request on a connection differently to any subsequent requests. For more information, see our HTTP/2 documentation.
Strip Connection header over HTTP/2 - By default, when an HTTP/2 request contains a
Connectionheader, Burp strips this before sending the request to the server. This is because many HTTP/2 servers will reject requests containing this header. You can disable this option to try sending the header anyway to see how the server responds.
- Allow HTTP/2 ALPN override - If this option is selected, you can send HTTP/2 requests from Burp Repeater even when the server doesn't advertise HTTP/2 support via ALPN. This enables you to explore any "hidden HTTP/2" attack surface reported by Burp Scanner or manually test for hidden HTTP/2 support.
- Action - This submenu contains the same options as are available on via the context menu of the request and response message editors.