Reissuing requests with Burp Repeater – The Daily Swig

In this tutorial, you’ll use Burp Repeater to reissue an interesting request over and over again. This lets you study the target website’s response to different input without having to intercept the request each time. This makes it much simpler to probe for vulnerabilities, or confirm ones that were identified by Burp Scanner, for example.

Web Security Academy

To follow along, you’ll need an account on portswigger.net. If you don’t have one already, registration is free and it grants you full access to the Web Security Academy.

If you haven’t completed our previous tutorial on getting started with Burp Proxy, we recommend doing so before continuing.

Sending a request to Burp Repeater

The most common way of using Burp Repeater is to send it a request from another of Burp’s tools. In this example, we’ll send a request from the HTTP history in Burp Proxy.

Step 1: Launch the embedded browser

In Burp, go to the Proxy > Intercept tab and make sure interception is switched off. Use the embedded browser to access the following URL, logging in if prompted:

https://portswigger.net/users?returnurl=/web-security/information-disclosure/exploiting/lab-infoleak-in-error-messages

When the page loads, click Access the lab to launch your own instance of a fake shopping website. This may take a few seconds to load.

Step 2: Browse the target site

In the browser, explore the site by clicking on a couple of the product pages. Notice that there aren’t any additional functions to audit, just a series of similar product pages.

Step 2: Study the HTTP history

In Burp, go to the Proxy > HTTP history tab. To make this easier to read, keep clicking the header of the leftmost column (#) until the requests are sorted in descending order. This way, you can see the most recent requests at the top.

Sorting the HTTP history

Step 3: Identify an interesting request

Notice that each time you access a product page, the browser sends a GET /product request with a productId query parameter.

Identifying an interesting request

Let’s use Burp Repeater to look at this behavior more closely.

Step 4: Send the request to Burp Repeater

Right-click on any of the GET /product?productId=[...] requests and select Send to Repeater.

Sending a request to Burp Repeater

Go to the Repeater tab to see that your request is waiting for you in its own numbered tab.

Step 5: Issue the request and view the response

Click Send to issue the request and see the response from the server. You can resend this request as many times as you like and the response will be updated each time.

Reissuing a request in Burp Repeater


Testing different input with Burp Repeater

By resending the same request with different input each time, you can identify and confirm a variety of input-based vulnerabilities. This is one of the most common tasks you will perform during manual testing with Burp Suite.

Step 1: Reissue the request with different input

Change the number in the productId parameter and resend the request. Try this with a few arbitrary numbers, including a couple of larger ones.

Experimenting with different input

Step 2: View the request history

Use the arrows to step back and forth through the history of requests that you’ve sent, along with their matching responses. The drop-down menu next to each arrow also lets you jump to a specific request in the history.

Stepping through the request history in Burp Repeater

This is useful for returning to previous requests that you’ve sent in order to investigate a particular input further.

Compare the content of the responses, notice that you can successfully request different product pages by entering their ID, but receive a Not Found response if the server was unable to find a product with the given ID. Now we know how this page is supposed to work, we can use Burp Repeater to see how it responds to unexpected input.

Step 3: Try sending unexpected input

The server seemingly expects to receive an integer value via this productId parameter. Let’s see what happens if we send a different data type.

Send another request where the productId is a string of characters.

Submitting unexpected input

Step 4: Study the response

Observe that sending a non-integer productId has caused an exception. The server has sent a verbose error response containing a stack trace.

Studying the error message in the response

Notice that the response tells you that the website is using the Apache Struts framework – it even reveals which version.

Discovering the leaked framework version

In a real scenario, this kind of information could be useful to an attacker, especially if the named version is known to contain additional vulnerabilities.

Go back to the lab in your browser and click the Submit solution button. Enter the Apache Struts version number that you discovered in the response (2 2.3.31).

Submitting the solution

Congratulations, that’s another lab under your belt! You’ve used Burp Repeater to audit part of a website and successfully discovered an information disclosure vulnerability.

Next step – Running your first scan (Pro users only)

CONTINUE

In this tutorial

  1. Initial Installation
  2. Intercepting HTTP traffic with Burp Proxy
  3. Manually reissuing requests with Burp Repeater
  4. Running your first scan

Source of this news: https://portswigger.net/burp/documentation/desktop/getting-started/reissuing-http-requests

Related posts:

Fix Steam needs to be online to update error on Windows PC - TWCN Tech News
Here is a guide on how to fix the Steam needs to be online to update error on Windows PC. Steam is a video game distribution service developed by Valve Corporation. It is a great platform for ga...
Points Reasons Why Your Company Should Use Proxy Servers – Occasions when Square Chronicles - Occasi...
More often than not, many people find it difficult to be familiar with use of proxy servers learn company. As a result, they stay away from them as they consider regarding an unnecessary ...
AVG Secure VPN - Unlimited VPN & Proxy Server Version 2.16.5648 Steps Up Quality - Optic Flux
The 21st century marked a huge advancement in terms of technology, both hardware and software. When you look at the programs that we used 20 years ago and how they looked like, you will likely wonder...
Aktieninhaber Democracy Is Getting Bigger Way Runs - The New You are able to Times
Good, that’s beginning to change. Quantity of intriguing experiments are ongoing. One of the most enjoyable is a collaboration between a substantial activist hedge fund, Electric motor No . 1, ...
Shelter Your IP Address and Waters Anonymously with Web Proxy server - Wales 247
The question of roa safety on the internet is quite important in this modern day. Every time you surf the Net, websites are hands down collecting your data, based on your amazing IP address. Firs...
Mobile Proxies: What You Need To Know - Eminetra.com
Proxies are the connective tissue that makes the world wide web an expansive, safe, and feature-filled place. If it weren’t for proxies, not only would connections between clients and servers be slow...
AT&T top IT vendor for US Department of Justice - Verdict
AT&T was the top IT vendor for the US Department of Justice, securing two contracts worth $996m, according to GlobalData’s Contracts database. Out of total 110 vendors, Booz Allen Hamilton Holdin...
Why Matt Carpenter's Production Is Misleading (and Complicated) - FanGraphs
There are two hitters I would like to introduce. The first, Player A, has been described in terms of the classic trio of statistics: average, on-base percentage, and slugging. The second, Player B, h...
DCOM permissions error in go log 10016 - Win 10 Support - BleepingComputer
There's a variety of help out there to fix such a error, but when I started initially to do them I couldnt find the correct CSLID key in Regedit. It has one similar to keep in mind this, no lette...
Some 2: Access AWS Service providers Through a Kubernetes Dual-Stack Group – The New Stack aid thene...
Saurabh Modi Saurabh Modi is an WHICH professional with over a ten years of experience, ranging from business intelligence, statistical analysis, application growing to production support an...
FontOnLake Malware Can Target Cpanel Systems - Ghacks Advances News
Documentation released by world wide security company, ESET, and even October 7 the , has given particulars to what was lesser known virus attacks family that emerged earlier this May, including de...
Private Proxy Software Adds 10 New Servers with Static IP Addresses - PR Web
Internet privacy can be protected by using an Anonymous Proxy. Past News ReleasesRSS Tampa, Florida (PRWEB) October 13, 2010 Privacy Partners, LLC the developer of Private Proxy Software, an...
Sep 3, 2020 Under Attack: How Threat Actors are Exploiting SOCKS Proxies - Security Intelligence
From the basic building blocks of the internet to cryptocurrency mining on a supercomputer, SOCKS sits at the core of computing. A SOCKS proxy can be used to improve network security in an enterprise...
Why Telegram became the go-to app for Ukrainians - despite being rife with Russian disinformation - ...
For weeks, Russia's military assault on Ukraine has been complemented by full-fledged information warfare. The Kremlin has propagandised Russian state media, and is trying to control the narrative on...
Private Cloud Server Market SWOT Analysis including key players Canonical Group, Drobo, Hivelocity V...
A new business intelligence report released by JCMR with Global Private Cloud Server Market Report has abilities to raise as the most significant market worldwide as it has remained playin...
Proxyware Services Open Orgs to be Abuse – Report the reason why Threatpost
The administrator of your political data will be Threatpost, Incorporation., 500 Unicorn Park, Woburn, MA 01801. Detailed information about the processing of personal knowledge can be found in t...
China puts forward four-point proposal regarding Palestine-Israel conflict - Global Times
Photo: fmprc.gov.cnChina puts forward a four-point proposal regarding escalating Palestine-Israel conflict, Chinese State Councilor and Foreign Minister Wang Yi said on Sunday.Wang made the remarks ...
“Sensitive Data Identification In Real Time For Data Streaming” in Patent Application Approval Proce...
Insurance Daily News 2021 NOV 12 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent application by the inventors Biller, Ofer Haim (Midreshet Ben Gurion, IL); S...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30