Getting Started with Burp - Part 4: The Repeater Tab

In my fourth post, I will spend a little time talking about the Repeater tab. Repeater is somewhat similar to the proxy tab in that it allows you fiddle with HTTP requests, but it is better because it allows you to change and repeat requests over and over again without the need to flip back and forth between the browser. I have found that I spend a great deal of time in this tab, usually after I have tested something in the Proxy tab. In my experience, Repeater is one of the most useful tabs in the Burp suite.

Let's take a look at how to use Repeater when testing our test JuiceShop site.
  1. In Burp, go to the Proxy tab and make sure that the intercept option is set to “on."

  2. With your browser running through Burp Suite, go to Fill out the form and submit it.

  3. Note the ‘comment’, ‘rating’, and ‘captcha’ parameters in the request. Don’t make any changes to the parameter values yet. Forward the request on to the server and change the intercept option to “off."

  4. In Burp, click the History sub-tab found inside the Proxy tab.

  5. Find one of the POST entries hat contains Right-click on the entry and click “Add to scope.”

  6. Click on the Filter bar that is located above the History pane. In the window that appears, choose “Show only in-scope items.” This will eliminate any other out-of-scope requests and responses from showing up in the history.

  7. Find the form POST from step 2 in the proxy history. Once found, right-click it and choose Send to Repeater.

  8. Click on the Repeater tab. You will see a “Request” and “Response” window. In the left window, you will see the request and the parameters noted in step 3. Modify the rating number to “rating” : 6. Click the Go button to submit the request.

  9. Note the Response tab. Some JSON data is returned by the server. Was the submission successful? How do you know?

  10. What else could you do with repeater? Why is this easier than working manually in the Proxy tab?


Popular posts from this blog

OWASP ZAP Tutorial - Part 2: Crawling

OWASP ZAP Tutorial - Part 1: Intercepting Traffic

OWASP ZAP Tutorial - Part 3: Scanning