PROFESSIONALCOMMUNITY

Sending requests in sequence

  • Last updated: August 25, 2022

  • Read time: 2 Minutes

Repeater's Send group in sequence feature enables you to send all of the requests in a group with a single click. You can either send all of the group's requests over the same connection or use separate connections for each request.

Sending requests over a single connection enables you to test for potential client-side desync vectors. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the related content on the Web Security Academy. This is also useful for timing-based attacks that rely on being able to compare responses with very small differences in timings as it reduces the "jitter" that can occur when establishing TCP connections.

Sending requests over separate connections is primarily useful when testing for vulnerabilities that require a multi-step process.

Note

For more information on creating tab groups in Repeater, see Managing tab groups.

To send a group of requests in sequence:

  1. Create a group and add the relevant tabs to it.
  2. Select one of the tabs in the group.
  3. Click the drop-down arrow by the side of the Send button and select either Send group in sequence (single connection) or Send group in sequence (separate connections) as required.
  4. Click Send group.

Repeater attempts to send requests from all of the tabs in the order they are arranged in the group:

  • If you selected a single connection, then Repeater establishes a connection to the target, sends the requests from all of the group's tabs, and then closes the connection.
  • If you selected multiple connections, then Repeater establishes a connection to the target, sends the request from the first tab, and then closes the connection. It repeats this process for all of the other tabs in the group.

To cancel the sequence, click Cancel on one of the group's tabs while the requests are being sent.

Send sequence prerequisites

To send the tabs in a group over a single connection, the group must meet the following criteria:

  • All tabs in the group must have the same target.
  • All tabs in the group must use the same request protocol (i.e. they must either all use HTTP/1 or all use HTTP/2).
  • There must not be any WebSocket message tabs in the group.
  • There must not be any empty tabs in the group.

Sequences sent over separate connections can use different targets and protocols. However, you still cannot send sequential requests from groups that contain WebSocket tabs or empty tabs over separate connections.

Was this article helpful?