The Burp Repeater is a very powerful tool within Burp Suite. It allows pentesters to repeat requests through Burp Proxy, modifying, manipulating, and re-running them. It is a tool that one cannot live without if they are into web app security testing with Burp Suite, so being familiar with it is important.
What is the use of Burp Repeater?
Burp Repeater essentially allows repeating the requests intercepted by Burp Suite, i.e., to edit, modify and resend them again. This is useful when a user needs to review specific HTTP requests instead of Proxy, which allowing the user to Forward or Drop requests. Thus, it is extremely useful whenever one needs to manipulate intercepted requests later to analyze them further.
Tackling with a huge number of Repeater tabs
While working with larger targets, it is not unusual to have a large number (500-600) of Repeater tabs open during an engagement. But the question is how to manage them and not get overwhelmed when one must deal with such situations. There may be hundreds of API endpoints in a large target, not all are documented, so repeater becomes a good way to keep track of them and log all test cases after intercepting them in Burp.
Many professional pentesters and bug bounty hunters often complain that opening multiple Repeater tabs becomes confusing and inefficient. There is a neat trick to deal with this, i.e., to name Repeater tabs apart from the default numbering. Just like browser tabs, repeater tabs become easier to handle once they are named because, in that way, one is kept aware of which target that Repeater tab belongs to.
Screenshot of many Burp Suite Repeater tabs; Source: @zseano on Twitter
The screenshot above might look scary for some. But that is quite normal. Often one needs to keep track of several targets or, worse, multiple engagements in the repeater. This is quite challenging to deal with, but smartly naming Repeater tabs can make the process more efficient. Also, naming repeater tabs can be a way to prioritize some requests over the rest, as often most of these end up being useless except a few interesting ones.
- Name your Repeater tabs smartly.
- Please do not end up naming every tab but try to prioritize and sensibly name them.
- Use keyboard shortcuts to speed things up wherever possible (as described in the next section of the post).
For example, one can structure the name based on the target company (ACME), API (Admin API), and part of the API they are testing - ACME - Admin API / Add User.
Just double-click on the Repeater tab number, and edit it right away to name that tab.
Using Keyboard Shortcuts in Repeater
Reducing mouse interaction is the goal to speed things up. This can be done by using hotkeys. For example, it is often required to quickly copy an Intercepted request from Proxy to Repeater and shift between the Proxy to Repeater. Instead of clicking back and forth, one can use the hotkey - Ctrl + shift + R to move to the repeater tab effortlessly. Similarly, there are a bunch of shortcuts to do various actions in repeater like:
Copying Requests effortlessly between Proxy and Repeater tabs
Use case: Quickly copy a request from Burp Proxy to Repeater and move to the Repeater tabs with just two hotkeys.
How to: By using Ctrl + R, the intercepted request can be copied from the Proxy tab, and then one can move to the Repeater tab using Ctrl + shift + R, which allows rapid movement between these tabs without mouse interaction. Ctrl + R can be considered a general send to repeater shortcut, which one may use in various parts of Burp Suite, like in the HTTP History section of the Proxy.
Switching between Repeater tabs
Problem: For those with hundreds of repeater tabs open at any given time, switching between tabs with mouse clicks is a hassle, and often, one ends up clicking on wrong tabs, or, worse, clicking on the ‘X’ icon and mistakenly closing tabs. As the UI becomes too cluttered, it is hard to manage the repeater tabs. Hotkeys in Burp, however, make it easy to switch between tabs without the need for clicks.
Solution: Use Ctrl + ‘+’ and Ctrl + ‘-’ to move back and forth between the Repeater tabs. It becomes handy once a user is familiar with it; even with 200 tabs, a user can navigate around with less effort than a few mouse clicks.
More Handy Shortcuts in Repeater
Often, one may need to quickly use a URL encoder/decoder for encoding/decoding certain parts of the request in the repeater. This can be done by using the global hotkeys:
URL encoding data in the Intercepted request - Ctrl + U Decoding URL-encoded data in the Intercepted request - Ctrl + Shift + U
While Burp Repeater is a great tool to use, there are many other things one needs to know about while using Burp Suite. If anyone is interested in diving deeper into cybersecurity, sign up for some online courses.