Sending HTTP requests in sequence
Last updated: May 15, 2023
Read time: 2 Minutes
Repeater's Send group in sequence feature lets you send a series of grouped HTTP requests in sequence with a single click.
You can send all of the requests over the same connection or use separate connections:
- Sending requests over separate connections lets you more easily test for vulnerabilities that require a multi-step process.
- Sending requests over a single connection lets you test for potential client-side desync vectors.
Sending requests over a single connection also reduces the "jitter" that can occur when establishing TCP connections. This is useful for timing-based attacks that rely on being able to compare responses with very small differences in timings.
- For more information on creating tab groups in Repeater, see Managing tab groups.
- For more information on how to test for client-side desync vectors, as well as some deliberately vulnerable labs for you to practice on, see Browser-powered request smuggling in the Web Security Academy.
To send a group of requests in sequence:
- Create a group and add the relevant tabs to it.
- Select one of the tabs in the group.
- Click the drop-down arrow by the side of the Send button and select either Send group in sequence (single connection) or Send group in sequence (separate connections).
- Click Send group.
Repeater attempts to send requests from all of the tabs in the order they are arranged in the group:
- If you select a single connection, Repeater establishes a connection to the target, sends the requests from all of the group's tabs, and then closes the connection.
- If you select multiple connections, Repeater establishes a connection to the target, sends the request from the first tab, and then closes the connection. It repeats this process for all of the other tabs in the group.
To cancel the sequence, click Cancel on one of the group's tabs while the requests are being sent.
Send sequence prerequisites
To send a sequence of requests, the group must meet the following criteria:
- There must not be any WebSocket message tabs in the group.
- There must not be any empty tabs in the group.
To send a sequence of requests over a single connection, all of the requests must meet the following criteria:
- They must all have the same target.
- They must all use HTTP/1 or all use HTTP/2.
Was this article helpful?
An error occurred, please try again.