Repeater

This is a tool for manually manipulating and reissuing individual HTTP requests, and analyzing the application's responses.

Assumption:

  • Burp proxy has been configured correctly.

  • You are currently logged in to Security Shepherd's admin account.

Steps:

  1. Log out of Security Shepherd's admin account by clicking on the "Logout" button.

    Logout of admin account

  2. On the login page of Security Shepherd application, click on the link labeled as "Security Shepherd Account".

    Create new account

  3. Fill-in the registration form and click on "Sign me up!" button.

    Registration form

  4. Login to the newly created (non-admin) account.

    Login

  5. Click on "Insecure Direct Object References" link in the left navigation menu.

  6. In Burp, turn the intercept mode on.

  7. In Firefox, click on the "Refresh your Profile" button.

    Refresh your profile Refresh your profile

  8. Go to Burp > "Proxy" > "Intercept" tab, and right-click on the intercepted request.

  9. Select "Send to Repeater" from the context menu.

    Send to repeater

  10. Switch to "Repeater" tab in Burp.

    Switch to repeater

  11. Click on the "Go" button.

    Click on Go

  12. In the "Request" section, change the value of the "username" parameter to a random value, e.g. test, and click on the "Go" button.

    Change username

  13. Observe the changes in the response.

    User: 404 - User Not Found</h2><p>User 'test' could not be found or does not exist.

  14. Change the value of "username" parameter to admin, and click on the "Go" button.

    Change username to admin

  15. Observe the changes in the response.

  16. In "Response" section, enter the keyword "admin" in the search box.

  17. Click on plus + symbol and select the checkbox labeled as "Auto-scroll to match when text changes".

    Search for a keyword

  18. To see the previously triggered requests, click on the back arrow symbol.

    Move backwards

  19. Use the forward arrow symbol to move to the request that was triggered next, after the currently visible request.

    Move forward

  20. Double-click on the tab header to rename a sub-tab in Repeater.

    Rename sub-tab Rename sub-tab

  21. Return to Burp > "Proxy" > "Intercept" tab.

  22. Change the value of the "username" parameter to admin.

    Modify username in Intercept tab

  23. Click on "Forward" button.

  24. Turn the intercept mode off by clicking on the "Intercept is on" button.

  25. In Firefox, you should see the details of the Admin user.

  26. Copy the result key by clicking on the "Copy to clipboard" icon.

    Copy result key

  27. Paste the copied text in the result key input box, and submit the result key by clicking on the "Submit" button.

    Submit result key

PreviousIntruderNextSequencer

Last updated

Was this helpful?