infosecgirls
Appsec
Appsec
  • Introduction
  • Application Details
    • VM - Pre-req
    • Import Virtual Machines
    • Access Mutillidae Web Application
  • INITIAL SETUP WITH OWASP ZAP
    • OWASP ZAP
    • Setup OWASP ZAP
    • Modes
    • Automated Scan
    • Report Generation
  • Initial Setup with Burp
    • Start Burp Suite
    • Add FoxyProxy Addon
    • Add New Proxy In FoxyProxy
    • Configure Proxy Listener
    • Install Burp's CA Certificate In Firefox
    • Getting Rid of Unnecessary Browser Traffic
  • Quick Basics
    • Disable Intercept Mode in Burp
    • Enable Intercept Mode in Burp
    • Send to Repeater
    • Send to Comparer
  • Web Application Pentesting
    • A1 - Injection
      • SQL Injection with bWAPP
      • SQL Injection in DVNA
      • Command Injection in DVNA
    • A2 - Broken Authentication
      • Broken Authentication with bWAPP
    • A3 - Sensitive Data Exposure
      • Sensitive Data Exposure - DVNA
    • A4 - XML External Entities (XXE)
      • XML External Entity (XXE) Injection - Mutillidae
      • XML External Entity (XXE) Injection - DVNA
    • A5 - Broken Access Control
      • Broken Access Control - DVNA
    • A6 - Security Misconfiguration
      • Security Misconfiguration in DVNA
      • Security Misconfiguration in Mutillidae
      • Security Misconfiguration in Security Shepherd
    • A7 - Cross-Site Scripting (XSS)
      • Reflected XSS
      • DOM XSS
      • Stored XSS - Mutillidae
      • XSS - Sending data to remote server
    • A8 - Insecure Deserialization
      • Insecure Deserialization - DVNA
    • A9 - Using Components with Known Vulnerabilities
      • Using Components with Known Vulnerabilities - DVNA
    • 10 - Insufficient Logging & Monitoring
    • References
    • About Us
  • Additional Content
    • Insecure Direct Object Reference
    • Security Misconfiguration
    • Password Guessing Attack
    • User Enumeration
      • Unauthenticated User Access
      • Create a New User
      • Authenticated User Access
      • Intruder: Set Positions
      • Intruder: Define Payload
      • Intruder: Configure Grep - Extract
      • Trigger Attack & Save Results
    • Custom Iterator
    • Null Payload
    • Request in Browser: Privilege Escalation Check
  • Burp Extenders
    • Target
    • Proxy
    • Intruder
    • Repeater
    • Sequencer
    • Decoder
    • Comparer
    • Extender
Powered by GitBook
On this page

Was this helpful?

  1. Burp Extenders

Repeater

PreviousIntruderNextSequencer

Last updated 6 years ago

Was this helpful?

This is a tool for manually manipulating and reissuing individual HTTP requests, and analyzing the application's responses.

Assumption:

  • Burp proxy has been configured correctly.

  • You are currently logged in to Security Shepherd's admin account.

Steps:

  1. Log out of Security Shepherd's admin account by clicking on the "Logout" button.

  2. On the login page of Security Shepherd application, click on the link labeled as "Security Shepherd Account".

  3. Fill-in the registration form and click on "Sign me up!" button.

  4. Login to the newly created (non-admin) account.

  5. Click on "Insecure Direct Object References" link in the left navigation menu.

  6. In Burp, turn the intercept mode on.

  7. In Firefox, click on the "Refresh your Profile" button.

  8. Go to Burp > "Proxy" > "Intercept" tab, and right-click on the intercepted request.

  9. Select "Send to Repeater" from the context menu.

  10. Switch to "Repeater" tab in Burp.

  11. Click on the "Go" button.

  12. In the "Request" section, change the value of the "username" parameter to a random value, e.g. test, and click on the "Go" button.

  13. Observe the changes in the response.

    User: 404 - User Not Found</h2><p>User 'test' could not be found or does not exist.

  14. Change the value of "username" parameter to admin, and click on the "Go" button.

  15. Observe the changes in the response.

  16. In "Response" section, enter the keyword "admin" in the search box.

  17. Click on plus + symbol and select the checkbox labeled as "Auto-scroll to match when text changes".

  18. To see the previously triggered requests, click on the back arrow symbol.

  19. Use the forward arrow symbol to move to the request that was triggered next, after the currently visible request.

  20. Double-click on the tab header to rename a sub-tab in Repeater.

  21. Return to Burp > "Proxy" > "Intercept" tab.

  22. Change the value of the "username" parameter to admin.

  23. Click on "Forward" button.

  24. Turn the intercept mode off by clicking on the "Intercept is on" button.

  25. In Firefox, you should see the details of the Admin user.

  26. Copy the result key by clicking on the "Copy to clipboard" icon.

  27. Paste the copied text in the result key input box, and submit the result key by clicking on the "Submit" button.

Create new account
Logout of admin account
Refresh your profile
Registration form
Refresh your profile
Login
Change username
Switch to repeater
Search for a keyword
Click on Go
Change username to admin
Move backwards
Send to repeater
Rename sub-tab
Move forward
Rename sub-tab
Modify username in Intercept tab
Copy result key
Submit result key