Burp Suite is an incredibly powerful security tool, and part of what makes it that powerful is its relative simplicity. Its more powerful tools such as the Spider or Intruder are quite intuitive, and it’s filled with a load of smaller, simple tools that make a security analyst’s job much easier. These tools may be a little bit limited or one-sided in their design, but that just makes them better for the job they’re doing. Scissors are no use for cutting trees, but we don’t use them for that anyway. One of these tools is the Repeater.
The Repeater is used to manually change small bits of code in the requests you send to the web application you’re testing, without actually waiting for them to load through a browser. Say you have a login page that you’re testing for vulnerabilities. The Repeater will let you quickly make changes to the page request code, which is important if you know what you’re doing and what results you’re expecting. To use the Repeater, get Burp up and running, turn Intercept to ON, and go to the web page you want to test, let’s assume it is a login page, and simply enter any two username and password values. We are expecting you to get these wrong. The point is for Burp to intercept what the request you’re sending out looks like. And before we move on, please make sure that you’re either working with a local version of a website that won’t affect the real thing or with the conspicuous consent of the site owners, otherwise, all of this is illegal. Anyway, find the request you want in the Target tab and Site Map subtab, right click, and press ‘Send to Repeater’.
Now go to the Repeater tab and you should see two spaces, one called Request, and the other called Response. Request is what you’re editing, and Response is what the website spits out back at you. From here you can change anything you want about the request in any form, from the raw data to hexadecimal values. Just press go and you’ll see how the website would react. With premium, you can even render what the code looks like. Notice that in your browser, the website hasn’t changed. From here it’s up to you and your prior HTML knowledge to start picking at the site.