Best Telegram Programming Groups For Coders &Developers   It Wasn’t Me - Secure Your Account   Mr.Robot All Seasons 1,2,3 Full | Free Torrent Download   Mr.Robot All Seasons 1,2,3,4 Full | Watch Online [FREE]   5 Tips Will Keep You Safe During Christmas Holiday’s Online Shopping   You Can Get All Adobe Apps For $30 a Month Right Now   How To Wipe An iPhone Clean (ERASE) Before Selling?   Programming Languages To Learn To Be An Expert Hacker!   Cybercriminals exchange tips on underground forums about avoiding arrests   A comprehensive look into emerging Signal encrypted messaging application   A Detailed Comparison of WhatsApp, Telegram & Signal   How Telegram End-to-end Encryption Works To Provide Security ?   Flubot Malware is Spreading Quickly Through Android Devices   WhatsApp End-to-End Encryption and its Privacy Importance - Alternatives,Signal & Telegram   What is Credit Card Skimming And How To Protect Yourself From it ?   Where to hire react programmer and 3 essential skills to look for   Top 8 Basic Google Search Dorks [Live Examples]   [Penetration Testing] Top 70 Most Interview Questions   Why VPN Is Necessary ? [Detailed Guide]   Top 10 Dangerous Viruses Of All Times   List Of Common HTTP Error Status Codes   “Hello World!” Program In Different Programming Languages   100 Basic Computer Related G.K. Questions   Email Security - Tips And Tricks   Fonts Hub Collection (Free Design Resources)   Top 8 Softwares Free Download - No Credit Card Needed [2022 Update]   Shortcomings That Leads An Entrepreneur Towards Failure   5 Basic Steps To Protect Your Personal Data Online   What is Intel SGX and What are the Benefits ?   15 Things You Need to Know About Maintaining The Logs   How to think like a programmer - lessons in problem solving   How To Get Voice Like Anonymous Voice   Life Story of Microsoft Founder Bill Gates - Documentary   Own Private Search Engine in Linux Will Save Our Privacy   Best Etcher alternatives to Create Bootable USB   Music For Programming - Coding Music / Hacking Music   School Management Software v3.1 Premium + Crack   JavaFX Chat Client/Server + Source Code   Top 25 Keyword Research Tools [Search Engine Optimization]   A Quick SEO Checklist - 2023 Update   Online Domain Authority (DA) Rank Checker Websites   33 Things In SEO For Which Google Will Give Your Student Blog High Positions   How to Close the Site from indexing using robots.txt   10 SEO Tools all Small Businesses Need in 2023   Earth Rise Application + Code   Animation along a path + Code   Zen Pong Game in Java Language + Code   Simple Flying Bird Game + Code Files   Game Snake Simple + Code Files   The Space 'Sun & Earth' | HTML,CSS,JavaScript   File System in Web (Explorer in Windows and Finder in OSX)   Admin Dashboard Template built using Bootstrap + Code   Website Template For Admin Dashboard + Code   Youtube Playlist Downloader Script   How To Create A Stopwatch In Python   Python TicTacToe with Tk and minimax AI   Deskreen turns any device with a web browser into a secondary screen for your computer   Download Algorithms Book | Dummies Store   OSI Model And TCP/IP Model   How to Fix SSH Failed Permission Denied (publickey,gssapi-keyex,gssapi-with-mic)   What Is Load Balancing? Definition and How It Works   How to Setup FTP Server on Your Raspberry Pi   Download Windows 10 Lite Edition x64 | Direct Link   How To Recover Permanently Deleted Files In Windows 10 ?   How to make Fake Error Message Script in Windows   20 Essential Windows keyboard Shortcuts that will make you forget your mouse   How To Fix The DLL Missing Error In Windows 7 ?   Create Hotspot on Windows 10 in 6 steps   Download Microsoft Office Professional Plus 2016   Download DriverPack Solution Offline | Full   How To Create Simple And Password Protected ZIP File in Linux   2 Ways To Save Terminal Output of a Command in Linux   6 Best Tools to Monitor Disk IO Performance in Linux   Top 15 Best Websites (Blogs) to Learn Linux Online   How to Delete files older than 30 Days in Linux   What is the difference between apt and apt-get command   Fail2Ban Installation & Setup: Ubuntu, CentOS, Fedora & Debian   How to List Running Processes in Linux   How to Use the who Command in Linux with Examples   FOREMOST - Recover Permanently Deleted Files Easily in Kali Linux   Funny Linux Commands to Try   Command line interface guidelines, to help you write better command-line programs ...   How to Install Google Chrome Web Browser on Ubuntu 20.04   Learn Adobe Photoshop | 33 Episode Course   Window Privilege Escalation: Automated Script   Linux Privilege Escalation: Automated Script   How To Retrieve & Decrypt Stored Passwords in Firefox & Chrome Remotely   ACLight: An Advanced Privileged Account Discovery Tool   How to change Lock Screen Background on Kali Linux XFCE   Best 20 Kali Linux Tools For Hacking And Penetration Testing   How to Run Windows Application and Games on Kali Linux   How to run C and C++ programs in Kali Linux   Control Kali Linux PC From any Mobile or Tablet   How to Enable root User Account in Kali Linux   How to Configure Static IP address in Kali Linux   Bash vs ZSH in Kali Linux   [Solved] E: Unable to locate package in Kali Linux   Hosting a Local Website with Domain Name on Kali Linux over WiFi   Install Docker in Kali Linux and Run Other OS   How to Install Kali Linux | A Total Guide to Install Kali Linux   NetHunter Rootless - Official Kali NetHunter for non rooted phones   How to set up own VPN server in 10 minutes on Kali Linux using OpenVPN   Configuring The ProxyChains   Install Python3 in Kali Linux   TempoMail - Command Line Temporary Email in Linux   NIPE - Fully Anonymize Total Kali Linux System   How to Install Google Chrome & Chromium on Kali Linux [Official Method]   15 Best Laptops For Kali Linux & Cyber Security - Check This Before Buy   Volatolity - Digial Forensic Testing of RAM on Kali Linux   Limit the Internet Speed of LAN Users [Evil Limiter]   Find Virtual Machine IP Through Kali Linux - 3 Methods   Privilege Escalation with PowerShell Empire and SETOOLKIT [Kali Linux]   How to use kill, pkill and killall Commands to Kill any Linux Process   20 Useful Tar Commands For Extraction and Compression   Create a Fake AP with DNSMASQ and HOSTAPD [Kali Linux]   How to Fully Anonymize Your Linux System with Tor using Nipe   Hack Windows/Linux using ARCANUS Framework – 100% FUD   Simple and Target Mac Flooding - Kali Linux   Get Free Kali Linux on AWS with Public IP - Real Time Penetration Testing   What’s the difference Between Tails and Tor browser?   Does Tor Hide you From Your ISP? Should I surf internet using Tor ?   Wireshark for Pentester: Decrypting RDP Traffic   Exploit Wi-Fi Vulnerabilities with Routersploit on Termux and Linux   Man in The Middle Attack & How To Prevent it   Masscan - 1000 Times Faster Than NMAP   Wireshark - Shark in Wires | Network Protocol Analyzer in Kali Linux   Wifite - Easy Automated Wireless Attack   WiFi-Pumpkin 3 - Dangerous Access Point   Evil Twin Attack with DNSMASQ - Wireless WPA2-PSK Cracking   Sniffing with Rogue Access Point [DNSMASQ and TCPFLOW]   Hack Wi-Fi Settings of Windows Machine Remotely [After Meterpreter]   Wi-Fi deauthentication attack against 802.11 protocol   Bypass Hidden SSID in a Wireless Network [Full Proof Method]   Crack WPA/WPA2-PSK using Aircrack-ng and Hashcat   Crack WPA2-PSK Wi-Fi with automated python script - FLUXION PART 1   Set Default Version of Python : [SOLVED] update-alternatives: error: no alternatives for p   Python Scripting: Information Gathering and Automating Ethical Hacking   15 Essential Meterpreter Commands Everyone Should Know   Find Vulnerable Webcams with Shodan [Metasploit Framework]   TCP & SYN Scanning with Metasploit Framework without NMAP   Meterpreter Useful Top 60 Commands List   The Web Application Hacker's Handbook 2   Hacking GPS Book   MadCam - Termux Hack Front camera by Sending link   How to Download Files In Termux   IPdrone Termux - Find Location of Person it IP in Termux   ReconDog Termux - Best Reconnaissance Tool For Termux   Termux SSH: Use Termux in Windows Using SSH Server   How to Install and Use Fsociety-Tool In Termux   Termux-YTD : Download Youtube Videos with Termux   Use CMatrix Package Like a Pro   L3MON - Access Android Devices Remotely   Hack Android using Metasploit over LAN/WAN   Ghost Framework - Control Android Devices Remotely   Top 10 Vulnerable Android Applications [Penetration Testing]   Find Hidden Subdomains on Any Website with Subfinder   Blind Sql Injection with Regular Expressions Attack   Useful Google Dorks For Bug Bounty Hunters   HTML5 Security CheatSheet - What your browser does when you look away...   30,000 Sites Is In RISK, The Plus Addons For Elementor WordPress Plugin Hacked   WPScan - Find Vulnerabilities in WordPress Websites on Kali Linux   Wapiti - Automated Vulnerability Scanner   Generate 100% FUD Backdoor with TheFatRat - Windows 10 Exploitation   TheFatRat hacking tool to create undetectable backdoors   How to Make a Keylogger in Python + Code   How to create a keylogger in PowerShell ?   Backdoor Program using Python (Remote Access Explain)   Man in the Middle Attack with Websploit Framework   Hack Windows 10 Remotely over WAN with Metasploit [No Port Forwarding]   15 Powerful Gadgets For Ethical Hackers | Hardware Tools for Hackers   Find Vulnerabilities using NMAP Scripts (NSE)   Free Vulnerability Database And Resources   Firefox Browser Vulnerable to (MITM) Man-in-the-Middle Attack   Find Vulnerabilities in Military Networks By Participating Hack The Army Bug Bounty Progr. 

x32x01

ADMINISTRATOR
Today, in this article, we’ll focus on the Repeater and its options featured by the Burp Suite Professional Version, which will help any Pentester to send the request inside the burp and observe its Response in real-time without disturbing the request captured from the browser.

Table of Content
  • Introduction
  • Renaming the Tabs
  • Request Method
  • Request History
  • URL as Request
  • URL Encode
  • Following Redirection
  • Search
  • Reopening Closed Tab
  • Views
  • Exporting Repeater Data
  • Conclusion
Introduction
Even the users that are just beginning to use the Burp Suite are likely to be familiar with the functions of the Repeater. However, let’s go over them to recall the functionality of the Repeater. It is a tool that is designed to allow the user or attacker to change or resend particular HTTP requests and understand and analyze the response generated by it. Here in the demonstration below, we have captured an HTTP request from the browser. This request is captured inside the Intercept sub-tab inside the Proxy tab. By Right Clicking on the captured request, a drop-down menu appears. This menu contains an option that says “Send to Repeater”. Clicking this option will send the request to the repeater. You can also use the shortcut Ctrl and R to send any request to the repeater.

1.png

Now that we have successfully sent the request to the Repeater, we can move to the Repeater and toggle with the request, and observe the response generated for that particular request. In line with the Proxy Tab, we have the Repeater tab as well. Here, we can see that we have the request that was captured earlier. The request can be edited as per the user’s requirements. Click the Send Button, the request will be sent to the target and the response that was generated will be presented in the Response section as shown below.

2.png

Renaming the Tabs
During any assessment, the Repeater tends to get cluttered with multiple tabs with numbers as shown in the image below. Since each time, a request is being sent to the Repeater, the tab gets incremented by one. This can get confusing to catch up after a while of working on a project.

3.png

Upon double Clicking the Tab, you can rename the Tab based on your preference. This can be anything that can help you remember and sort. In the Demonstration below, we renamed the Tabs concerning the Testing that we were performing on that particular session.

4.png

Request Method
Next, we will discuss the ability of the Repeater to change the Request Method type. These are the HTTP methods such as the GET, POST, PUT, OPTIONS, etc. Some web pages are configured to work with multiple methods. Suppose, you want to request a page with input fields, to request that form, we need to use the GET methods, and to submit the data from the fields to the server, you will require the POST methods. This can be managed with just an option present in the right-click menu by the name of “Change request method”. In the demonstration provided below, we have a GET request.

5.png

Upon changing the request method we can see that the method was changed to POST from GET and any parameters that were present in the URL were shifted to the body of the request as per the norms of POST request.

6.png

Request History
When using any Web Browser, we have the Forward and Backwards buttons on the browser. These help us to navigate to the Previous or Next Page. The repeater has the Back (<) and Forward (>) buttons as well. These can help where we get a 301 Response for our request. This means that we can follow the Redirection. Using the Forward (>) button we can choose to move to the next request and its subsequent response. However, in case you are using the repeater to test different parameters and their effects on the response, then you can go back to any response that might be working as per your requirement. The Request history can be viewed by clicking the Drop-Down button next to the Backward (<) button as demonstrated below.

7.png

URL as Request
In a Penetration testing environment, there are situations where it is required to test the response of a particular URL without actually capturing the request. Or there can be a scenario where you were able to get a particular finding but you don’t have the request in the response. So, you will have to go to the HTTP History and locate that particular request and send it to the repeater. This process can be shortened by just using the URL. Here, we are copying the URL from our Web Browser.

8.png

Now we are going to the repeater and we will be creating a new tab by right-clicking on the section. We will be asked if the new tab is supposed to be an HTTP request or a Web Socket request. Since we are trying to work with a Webpage, we choose HTTP.

9.png

Now, we right-click on the empty Request section and choose the “Paste URL as request” option from the dropdown menu.

10.png

We can see from the image below that the URL was converted into a proper request with all the basic header added to it by the Burp. This is done automatically. Now that we have the request for the URL that we want to investigate, we can just click on the Send button and observe the response generated by it.

11.png

URL Encode
Web servers don’t deal with the spaces and certain symbols easily. Hence, the space and certain symbols such as the & are encoded in URL Encode format. Developers program the websites to encode the data Client side before generating the request and then send it to the web server. Now, when making changes to the request inside the Repeater, you forget to provide the proper encoding the request may behave in an unpredicted way. Also, some filters are placed to find certain symbols such as < > but the URL may Encode equivalent of those are not filtered and that filter can be bypassed by just encoding them. In the demonstration below, we have a request inside the Repeater and we right-click on the request and choose the URL-encode as you type option. This will encode our text to URL Encode format as we type without any effort from our end.

12.png

We can see that we have added the values to the searchFor parameter and the spaces are converted into + and the entire string has been converted into URL Encode format. This can be disabled by choosing the same option from the menu.

13.png

Following Redirection
Redirection is an important part of any web application. This can help the user navigate the web pages in a way that the developer intended. It can also help the developer to integrate multiple different web applications into a single website. Web Browsers follow the redirection by default and it poses a problem to a penetration tester because while testing certain scenarios such as Open Redirection or Web Cache Poisoning, the penetration tester needs to toggle and observe the redirection response from the application. The Repeater has an option that can help with this or similar situations. It provides the user with an option to either never to follow redirections or follow the redirection for the on-site redirection or follow the redirection for In-scope domains only or to just Always Follow the Redirection. This provides the user to configure the Repeater as per their requirement that is based on the build of the application.

14.png

Since, in the previous step, we choose Never to follow the redirections, we see a 302 response in the image below. Now that we have a Redirection response, to move forward with the request, we can click on the Follow redirection button as shown in the image below to continue.

15.png

Search
In both sections i.e., Request and Response of the Repeater, we have a search bar at the bottom. Since the response would contain all the HTML code to create the webpage, it tends to be very lengthy and it can be very difficult to look for any particular keyword in the code. This is a problem when we are trying to see if any parameters that we passed were reflected in the response or not. The Search is configured to automatically move to the first keyword it finds and the Left and Right arrow keys can be used to toggle between the different occurrences of the keyword. Some settings can be toggled while using the Search. We can check the box to make the search Case Sensitive or we can use a Regex value to search for a general type of occurrence. At last, the Auto-scroll can be triggered each time any change be made to the Search bar. This can also help look for particular keywords quickly.

16.png

Reopening Closed Tab
If you have been using Burp for some time now, you might have accidentally closed the Repeater Tab that you don’t want to close. You are not alone and it is not your fault. The Close (X) is placed in such a way that it is very possible to close the tab without any intention to do so. After numerous requests to the PortSwigger, They made this option where you can Right Click on the location where all the tabs lie and Choose The Reopen Closed Tab option to open any tab that you closed accidentally.

18.png

Views
Multiple views are provided to view the Request and the Response sections in the Burp Suite. This pretty much sums based on the user’s preference. The three options that are provided are the classic Side by Side Panels as shown in the image below.

19.png

Next, we have the Top-Bottom Approach. This can be useful if any user is comfortable with this orientation.

20.png

Finally, we have the Tabs approach that adds another set of tabs to the Burp’s Tab scheme. It gives the user a complete area with a particular section. This can come in handy with certain scenarios. It provides the Tabs for Request and Response and we can click on those to access both of them.

21.png

Exporting Repeater Data
As we know that documentation is a vital part of any engagement. As we send multiple requests to form the repeater and with each request, we tend to make some changes to the request. So, to keep a track of it outside of Burp, we have the feature that allows us to save the history of all the requests sent. After working with multiple requests, we right-click on the request and choose the “Save entire history” option from the drop-down menu.

22.png

This opens up a window that asks us to provide the location of the file that we want to save. Upon browsing the location, we name the file as per our requirement and provide the extension as XML. We can also encode the requests in Base64 as well. However, in this case, we are not doing so.

23.png

Now, the history of all the requests that were sent will be found at the provided location in the XML format. In the image provided below we can see that we have the IP Address of the target, Domain of target, Port of the target, Protocol used, and the complete contents of the Request and the Response.

24.png

Conclusion
The repeater is one of the basic tools of the BurpSuite. However, through extensive research and developments, a lot of hidden features are added to the tool. It has reached a point where many of these features can ease the life of any Pentester.
 
Top