PROFESSIONALCOMMUNITY

Using Burp Repeater

  • Last updated: August 25, 2022

  • Read time: 6 Minutes

Burp Repeater is a simple tool for manually manipulating and reissuing individual HTTP and WebSocket messages, and analyzing the application's responses. You can use Repeater for all kinds of purposes, such as changing parameter values to test for input-based vulnerabilities, issuing requests in a specific sequence to test for logic flaws, and reissuing requests from Burp Scanner issues to manually verify reported issues.

The main Repeater UI lets you work on multiple different messages simultaneously, each in its own tab. When you send messages to Repeater, each one is opened in its own numbered tab. You can rename tabs by double-clicking the tab header.

Using Burp Repeater with HTTP messages

To use Burp Repeater with HTTP messages, you can select an HTTP message anywhere in Burp, and choose Send to Repeater from the context menu. This will create a new request tab in Repeater, and automatically populate the target details and request message editor with the relevant details. Alternatively, you can open a new Repeater tab manually and select the HTTP option.

For HTTP messages, each Repeater tab contains the following items:

  • Controls to issue requests and navigate the request history.
  • The target server to which the request will be sent is shown - you can click on the target details to change these.
  • An HTTP message editor containing the request to be issued. You can edit the request and reissue it over and over.
  • An HTTP message editor showing the response that was received from the last issued request.

Sending HTTP requests

When your request is ready to send, click the Send button to send it to the server. The response is displayed when this is received, together with the response length and a timer (in milliseconds). You can use the usual HTTP message editor functions to help analyze the request and response messages, and carry out further actions.

You can also choose which protocol Burp will use to send the message.

Note

You can also send groups of Repeater tabs with a single click. For more information on sending Repeater tabs in sequence, see Sending requests in sequence

HTTP request history

Each Repeater tab maintains its own history of the requests that have been made within it. You can click the < and > buttons to navigate backwards and forwards through this history and view each request and response. You can also use the drop-down buttons to show a numbered list of adjacent items in the history, and quickly move to them. At any point in the history, you can edit and reissue the currently displayed request.

Using Burp Repeater with WebSocket messages

To use Burp Repeater with WebSocket messages, you can select a WebSocket message in the Proxy history, and choose Send to Repeater from the context menu. Alternatively, you can open a new Repeater tab and select the WebSockets option.

For WebSocket messages, each Repeater tab contains the following items:

  • A message editor containing the WebSocket message that will be sent. You can edit the message and resend it over and over.
  • The WebSocket connection via which the message will be sent.
  • A history table showing all of the messages that have been sent and received, and a message viewer for the message that is currently selected in the history.

Sending WebSocket messages

You can edit the message that will be sent, and select whether it should be sent to the server or client. Note that the option to send a message to the client is only available in connections that are still open via Burp Proxy.

When your message is ready to send, click the Send button to send the message.

Optionally, the history table will automatically select the next message that is received after you sent the message.

WebSocket message history

The history table shows all of the messages that have been sent and received. Messages that were generated manually within Burp Repeater are indicated in the Repeater column. You can select a message to view it in the lower pane.

If you want to resend a message from the history, you can choose the Edit and resend option on the context menu. This will show the selected message in the left-hand message editor, allowing you to modify the message as required, and then send it.

Repeater options

Burp Repeater's options enable you to control how Repeater behaves when sending requests and receiving responses. To configure Repeater options that apply across all tabs, use the Repeater menu. The Repeater menu option is located at the top of the window on Linux and Windows, and at the very top of the screen on Mac OSX.

Note

For detailed information on the options available in Repeater, see the Burp Repeater options page.

Configuring tab-specific Repeater options

If required, you can override the options selected on the Repeater menu for an individual tab.

To configure tab-specific options:

  1. Select the tab you want to configure.
  2. Click the icon next to the Send button to display a context menu containing Repeater options. These are the same options you can find on the global Repeater menu.
  3. Select the required options from the menu.

If you select an option on the tab-specific menu then Repeater ignores all global options for that tab. For example, suppose that you have selected Process cookies in redirections on the global Repeater menu, and you then select Enable HTTP/1 connection reuse on a tab-specific menu. In this case, the global Process cookies in redirections setting for that tab would be ignored, and would revert to default settings. As such, you should make sure that all options are set correctly on the tab-specific menu before sending requests from the tab.

If you have modified options for a tab then the tab's settings icon turns blue. You can return a tab to the global Repeater settings by clicking its settings icon and selecting Restore global default from the context menu.

If you are using a project file then any tab-specific options you have configured for open tabs are retained when you re-open Burp Suite.

Managing request tabs

You can manage request tabs using the controls on the tab bar.

Creating a request from scratch

To open a new tab, click the + icon and select either HTTP or WebSocket from the context menu.

Renaming tabs

To rename a tab, double-click the tab header and enter a new name for the tab. Alternatively, right-click the tab and select Rename tab.

Switching tab view

To make it easier to work with a large number of tabs, Burp Repeater provides two different tab views. You can choose whether tabs are displayed in a single, scrollable row or whether they wrap onto multiple rows so that they're all displayed on screen at once.

If the row of tabs extends off the edge of the screen in scrollable view, then an overflow menu icon is displayed. Click this icon to view a drop-down list of all open tabs. You can also use the search bar to locate a specific tab.

To change the tab view, right-click a tab or click the options menu and select Tab view options.

Closing tabs

You can close tabs in multiple ways:

  • To close a single tab, click its x button. You can also right-click the tab and select Close tab.
  • To close all tabs other than the selected tab, right-click the tab and select Close other tabs.
  • To close all tabs to one side of the selected tab, right click the tab and select Close tabs to the left or Close tabs to the right.
  • To close all open tabs, click the options menu and select Close all tabs.
  • For tabs that belong to a group, you can close all tabs in the group except the selected tab by right clicking that tab and selecting Close other tabs in group. The remaining tab stays in the group.

To reopen the last tab you closed, right click any tab and select Reopen closed tab.

Note

Repeater's tab group feature enables you to group related tabs together and send groups of requests in sequence.

Was this article helpful?