Burp Repeater options
Last updated: January 27, 2023
Read time: 3 Minutes
Burp Repeater's options enable you to control how Repeater behaves when sending requests and receiving responses. To configure Repeater options that apply across all tabs, use the top-level Repeater menu.
The following options are available:
- Update Content-Length - This controls whether Burp automatically updates the Content-Length header of the request. Using this option is normally essential when the request message contains a body.
- Unpack GZIP / deflate - This controls whether Burp automatically unpacks GZIP and deflate-compressed content received in responses.
- Follow redirections - This controls whether redirection responses are automatically followed. If Repeater receives a redirection response which it is not configured to follow automatically, it displays a Follow redirection button near to the top of the UI. This enables you to manually follow the redirection after viewing it. This feature is useful for walking through each request and response in a redirection sequence.
- Process cookies in redirections - Any cookies set in the redirection response are resubmitted when the redirection target is followed. This applies to both automatic and manual redirections.
- Enforce protocol choice on cross-domain redirections - By default, Repeater negotiates the protocol as normal when redirected cross-domain. If you enable this option, it follows any cross-domain redirections using the same protocol that is selected under Inspector > Request Attributes. This is important when testing for HTTP/2-specific vulnerabilities that trigger cross-domain requests.
Normalize HTTP/1 line endings - By default, Repeater normalizes HTTP/1 line endings by automatically appending a carriage return
(\r)to any lines that end with a newline character
(\n). The carriage return is appended immediately before the newline. This reduces the risk of accidentally sending an invalid request. You might want to disable this feature when testing for certain vulnerabilities, such as request smuggling, where you may have intentionally omitted the newline.
- Enable HTTP/1 connection reuse - By default, Burp Suite opens a new TCP connection for each HTTP 1.1 request / response pair. If you select this setting, then Burp Repeater reuses the same connection for all requests sent to that server. This brings significant benefits in speed and request timing. Burp Suite closes any open TCP connections after five seconds of inactivity.
- Enable HTTP/2 connection reuse - By default, Repeater reuses the same connection for multiple HTTP/2 requests. You may want to disable this feature if the server treats the first request on a connection differently to subsequent requests. For more information, see our HTTP/2 documentation.
Strip Connection header over HTTP/2 - By default, when an HTTP/2 request contains a
Connectionheader, Burp strips this before it sends the request to the server. This is because many HTTP/2 servers reject requests that contain this header. You can disable this option to try to send the header anyway, to see how the server responds.
- Allow HTTP/2 ALPN override - Send HTTP/2 requests from Burp Repeater even when the server doesn't advertise HTTP/2 support via ALPN. This enables you to explore any "hidden HTTP/2" attack surface reported by Burp Scanner or manually test for hidden HTTP/2 support.
- Action - This submenu contains the same options that are available on the context menu of the request and response message editors.
Was this article helpful?
An error occurred, please try again.