Dev.to

Payload Analysis with Burp Repeater: Manual Testing Like a Professional

While automated scanners are fast, Burp Repeater remains the weapon of choice for fine-grained analysis. It lets you inspect, craft, and reissue requests in isolation — ideal for identifying edge-case vulnerabilities. This article focuses on how to effectively use Repeater for manual payload analysis during a web penetration test. 1. What is Repeater? Burp Repeater is a tool that lets you manually modify and resend HTTP requests to a target server. Each request/response pair is preserved, enabling precise observation of changes in behavior. Perfect for: Parameter tampering Authentication bypass testing Input validation exploration Confirming false positives from scanners 2. Sending Requests to Repeater Use the Burp proxy or sitemap → right-click → "Send to Repeater" Alternatively, use keyboard shortcut: Ctrl+R (Windows/Linux) or Cmd+R (macOS) Each tab in Repeater is independent, with its own history and diffs. 3. Constructing & Testing Payloads Consider a GET request with a q parameter: GET /search?q=test HTTP/1.1 Host: app.example.com Now try: SQLi: q=' OR '1'='1 XSS: q=alert(1) LFI: q=../../../../etc/passwd Observe the differences in: HTTP status code Response body structure Error messages Response time (for time-based payloads) 4. Binary and Encoded Payloads Use Repeater + Decoder together: Base64 / URL-encoded payloads JSON body manipulation JWT tampering Example (JWT): Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6... Manually modify the alg to none or brute-force secrets. 5. Comparing Responses Use the "Compare" function to visually diff response pairs: Highlight differences in HTML output Identify subtle changes in headers (e.g. Set-Cookie, Location, Content-Length) Useful for bypass attempts, privilege escalation detection, and race condition exploration. 6. Advanced Repeater Use Cases Bypass WAFs with encoding obfuscation Custom headers injection (X-Original-URL, X-Forwarded-For) CSRF token replay with static/dynamic values State manipulation using intercepted cookies Combine with Burp’s Cookie Jar and Session Handling Rules for persistence across attempts. Final Notes Burp Repeater is not just a testing tool — it’s an observation instrument. Mastering it trains your eye to spot what scanners miss: logic flaws, business logic bugs, subtle misconfigurations. Coming up: Burp Intruder for fuzzing inputs at scale Practical bypass techniques for input filters Building custom payload libraries for targeted testing Precision matters. Test with intent. Interpret with clarity.

Mar 30, 2025 - 13:49
 0
Payload Analysis with Burp Repeater: Manual Testing Like a Professional

While automated scanners are fast, Burp Repeater remains the weapon of choice for fine-grained analysis.

It lets you inspect, craft, and reissue requests in isolation — ideal for identifying edge-case vulnerabilities.

This article focuses on how to effectively use Repeater for manual payload analysis during a web penetration test.

1. What is Repeater?

Burp Repeater is a tool that lets you manually modify and resend HTTP requests to a target server.

Each request/response pair is preserved, enabling precise observation of changes in behavior.

Perfect for:

  • Parameter tampering
  • Authentication bypass testing
  • Input validation exploration
  • Confirming false positives from scanners

2. Sending Requests to Repeater

Use the Burp proxy or sitemap → right-click → "Send to Repeater"

Alternatively, use keyboard shortcut: Ctrl+R (Windows/Linux) or Cmd+R (macOS)

Each tab in Repeater is independent, with its own history and diffs.

3. Constructing & Testing Payloads

Consider a GET request with a q parameter:

GET /search?q=test HTTP/1.1
Host: app.example.com

Now try:

  • SQLi: q=' OR '1'='1
  • XSS: q=
  • LFI: q=../../../../etc/passwd

Observe the differences in:

  • HTTP status code
  • Response body structure
  • Error messages
  • Response time (for time-based payloads)

4. Binary and Encoded Payloads

Use Repeater + Decoder together:

  • Base64 / URL-encoded payloads
  • JSON body manipulation
  • JWT tampering

Example (JWT):

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6...

Manually modify the alg to none or brute-force secrets.

5. Comparing Responses

Use the "Compare" function to visually diff response pairs:

  • Highlight differences in HTML output
  • Identify subtle changes in headers (e.g. Set-Cookie, Location, Content-Length)

Useful for bypass attempts, privilege escalation detection, and race condition exploration.

6. Advanced Repeater Use Cases

  • Bypass WAFs with encoding obfuscation
  • Custom headers injection (X-Original-URL, X-Forwarded-For)
  • CSRF token replay with static/dynamic values
  • State manipulation using intercepted cookies

Combine with Burp’s Cookie Jar and Session Handling Rules for persistence across attempts.

Final Notes

Burp Repeater is not just a testing tool — it’s an observation instrument.

Mastering it trains your eye to spot what scanners miss: logic flaws, business logic bugs, subtle misconfigurations.

Coming up:

  • Burp Intruder for fuzzing inputs at scale
  • Practical bypass techniques for input filters
  • Building custom payload libraries for targeted testing

Precision matters. Test with intent. Interpret with clarity.

Read More

Tags:

Previous Article

Mastering Burp Collaborator: Detecting Out-of-Band Vulnerabilities with Precision

Next Article

Practical Web Vulnerability Scanning with Burp Suite: Methodology and Precision

Related Posts

16 AI-powered tools for building your next project

16 AI-powered tools for building your next project

Mar 7, 2025  0

Wrapping PrimeVue Components: Tips for a Better Developer Experience

Wrapping PrimeVue Components: Tips for a Better Develop...

Mar 24, 2025  0

The Rise of AI: Transforming the World as We Know It

The Rise of AI: Transforming the World as We Know It

Mar 24, 2025  0