Burp Suite: Repeater
https://tryhackme.com/room/burpsuiterepeater
Task 2 What is Repeater?
Burp Suite Repeater allows us to craft and/or relay intercepted requests to a target at will. In layman(비전문가)’s terms, it means we can take a request captured in the Proxy, edit it, and send the same request repeatedly as many times as we wish. We could craft requests by hand, much as we would from the CLI, using a tool such as cURL to build and send requests.
The repeater interface can be split into six main sections
- List of Repeater requests: each time we send a new request to repeater, it will appear up here
- Controls for the current request: allow us to send a request, cancel a hanging request, and go forwards/backwards in the request history.
- Request and response view: edit the request in the Request view then press send. The response will show up in the Response view.
- Set of options: change the layout for the request and response views. By default, this is usually side-by-side
- Inspector: break requests apart to analyze and edit them in a slightly more intuitive way than with the raw editor.
- Target: IP address or domain to which we are sending requests. When we send request to Repeater from other parts of Burp Suite, this will be filled in automatically
Task 3 Basic Usage
With a request captured in the proxy, we can send to repeater either by right-clicking on the request and choosing “Send to Repeater”.
We do not yet have a response. Click the “Send” button.
If we want to change anything about the request, we can simply type in the Request window and press “Send”. For example, changing the “Connection” header to open rather than close results in a response “Connection” header with a value of keep-alive:
We could also use the history buttons to the right of the Send button to go forwards and backwards in our modification history.
Task 4 Views
Repeater offer us various ways to present the responses to our requests. We can see the available options by looking above the response box.
- Pretty: default option. It takes the raw response and attempts to beautify it slightly, making it easier to read
- Raw: The pure.
- Hex: raw response and give us a byte view of it; especially useful if the response is a binary file.
- Render: renders the page as it would appear in your browser.
In most instances, the “Pretty” options is perfectly adequate.
Task 5 Inspector
In many ways, Inspector is entirely supplementary to the request and response fields of the Repeater window. Inspector can be used in the Proxy as well as Repeater. In both cases, it gives us a list of the components in the request and response.
- Request Attributes: edit the parts of the request that deal with location, method and protocol. e.g. changing the resource we are looking to retrieve, altering the request from GET to another HTTP method, or switching protocol form HTTP/1 to HTTP/2
- Query Parameters: refer to data being sent to the server in the URL. https://admin.tryhackme.com/?redirect=false, there is a query parameter called “redirect” with a value of “false.”
- Body Parameters: do the same thing as Query Parameters, but for POST requests.
- Request Cookies: a modifiable list of the cookies which are being sent with each request.
- Request headers: allow us to view, access, and modify any of the headers being sent with our requests. Editing these can be very useful when attempting to see how a webserver will respond to unexpected headers.
- Response Headers: show us the headers that the server sent back in response to our request. This section will only show up after we sent the request and received a response.
Task 6 Example
Repeater is best suited for the kind of task where we need to send the same request numerous times, usually with small changes in between requests.
Click the + button, add a header called FlagAuthorised and set it to have a value of True.
I can see the flag.
Task 7 Challenge
Change the number at the end of the request to under the 0.
I find the flag.
Task 8 SQLi with Repeater
