Appsec

Repeater

This is a tool for manually manipulating and reissuing individual HTTP requests, and analyzing the application's responses.

Assumption:

  • Burp proxy has been configured correctly.

  • You are currently logged in to Security Shepherd's admin account.

Steps:

  1. Log out of Security Shepherd's admin account by clicking on the "Logout" button.

  2. On the login page of Security Shepherd application, click on the link labeled as "Security Shepherd Account".

  3. Fill-in the registration form and click on "Sign me up!" button.

  4. Login to the newly created (non-admin) account.

  5. Click on "Insecure Direct Object References" link in the left navigation menu.

  6. In Burp, turn the intercept mode on.

  7. In Firefox, click on the "Refresh your Profile" button.

  8. Go to Burp > "Proxy" > "Intercept" tab, and right-click on the intercepted request.

  9. Select "Send to Repeater" from the context menu.

  10. Switch to "Repeater" tab in Burp.

  11. Click on the "Go" button.

  12. In the "Request" section, change the value of the "username" parameter to a random value, e.g. test, and click on the "Go" button.

  13. Observe the changes in the response.

    User: 404 - User Not Found</h2><p>User 'test' could not be found or does not exist.

  14. Change the value of "username" parameter to admin, and click on the "Go" button.

  15. Observe the changes in the response.

  16. In "Response" section, enter the keyword "admin" in the search box.

  17. Click on plus + symbol and select the checkbox labeled as "Auto-scroll to match when text changes".

  18. To see the previously triggered requests, click on the back arrow symbol.

  19. Use the forward arrow symbol to move to the request that was triggered next, after the currently visible request.

  20. Double-click on the tab header to rename a sub-tab in Repeater.

  21. Return to Burp > "Proxy" > "Intercept" tab.

  22. Change the value of the "username" parameter to admin.

  23. Click on "Forward" button.

  24. Turn the intercept mode off by clicking on the "Intercept is on" button.

  25. In Firefox, you should see the details of the Admin user.

  26. Copy the result key by clicking on the "Copy to clipboard" icon.

  27. Paste the copied text in the result key input box, and submit the result key by clicking on the "Submit" button.

PreviousIntruderNextSequencer

Last updated