The burp suite repeater is a very useful tool in our arsenal. This allows us to edit any request in various ways and resend them to the server. You probably all know the basics of how the repeater works so i’m not going to bore you to death with details but i will be showing you some really cool tricks. I bet you didn’t know all of these.
- The request, we can manipulate it here and change any parameters we want
- The response, make sure you check it to see if there are parameters that are not in the request. They might be impactfull and if you copy them to the request, you might be able to change them
- The controls, we can send a request, cancel it if it takes to long and go back & forth in our history
- The tabs, here we can find all of the requests we have open
If we right click the request, a couple of options become available to us.
- This will change the request from a POST to a GET and visa versa
- This will change the request from a POST or GET to a PUT and from a PUT to a POST request
- If you are filing a report, you often need to enter the URL. This option will enable you to copy the entire URL in one go and paste it into your report
- If you want to mess with the request in CURL or add it to your report as a CURL call, this option will build that call for you
- This will save the entire history of the request, including the ones we have sent before, edited and sent again, to a file.
- If you edit the URL, you might want to add that specific endpoint to the site map
This context menu mostly has the same options as previously.
- In here i want to highlight that we can render a page as well to see what it looks like. This sometimes beats reading 10000 lines of HTML code
We can rename tabs by double clicking them.
Free course on XSS for everyone <3 https://www.udemy.com/course/xss-survival-guide/?couponCode=E820801EC6E03485F241 (free for 3 days after posting of article)
There is one more free coupon in here though and it is a valid for 3 uses only and for the bug bounty boot camp, can you find it? It’s hidden in the place that is never correct. Use the code on this URL in ALL CAPS: