We covered other components of BurpSuite such as BurpSuite Repeater, BurpSuite Sequencer, BurpSuite Encoder/Decoder & BurpSuite Comparer. Additionally, we covered BurpSuite extensions along with practical examples covered from TryHackMe other modules & Repeater room.

The Complete Practical Web Application Penetration Testing Course

Burp Suite Repeater: Manipulating and Resending Requests

The Repeater module is incredibly useful because it allows me to manipulate and resend HTTP requests multiple times while observing the corresponding responses. This is crucial for testing web application vulnerabilities.

  • Interface: The interface has a left pane for the HTTP request (where I can modify it) and a right pane to show the server’s response. The “Inspector” provides an intuitive way to modify request parameters, headers, and other attributes without having to manually type them out. I can view responses in “Pretty,” “Raw,” “Hex,” or “Render” (to see how it would look in a browser).
  • Usage: I can send requests to Repeater from other modules like Proxy or Intruder. I can manually edit the request in the raw view or use the Inspector. It’s particularly useful for testing vulnerabilities like SQL injection and local file inclusion by modifying parameters and observing how the server reacts.
  • Examples:
    • I learned to add a custom header (e.g., Flag-Authorized: true) to try and get a flag from the server.
    • I demonstrated triggering a 500 Internal Server Error by sending unexpected input, such as a negative product ID like -1.
    • I also performed an SQL injection by manipulating URL parameters to extract data from a database. This involved discovering column names and then specific data like “notes.” A conceptual SQL injection payload I might use could look like: OR 1=1-- or UNION SELECT null,column_name FROM information_schema.columns--.

Burp Suite Decoder: Transforming Data

The Decoder module is used for transforming data between various formats (e.g., Base64, URL encoding, Hex, ASCII) and for generating hashes.

  • Interface: It has an input pane for the data to be transformed and options to “Encode,” “Decode,” or “Hash.” The “Smart Decode” feature attempts to automatically identify and decode the input format, which is a great time-saver.
  • Examples:
    • I practiced Base64 encoding and decoding.
    • I also performed URL decoding.
    • A cool feature was performing stacked transformations (e.g., Base64 encode, then convert to ASCII Hex, then encode as Octal).
    • I also generated SHA256 and MD4 hashes.
    • In a practical scenario, I found a specific SSH key out of four by comparing their MD5 hashes to a known hash.

Burp Suite Comparer: Spotting Differences

The Comparer module is used to perform a visual “diff” between two pieces of data, typically HTTP requests or responses, to highlight differences.

  • Interface: It has two panes to load the data items I want to compare and options to compare by “words” or “bytes.” Differences are clearly color-coded (e.g., orange for modified, yellow for added).
  • Example: I compared two login requests with different credentials (test/test vs. tryhackme/password) to see how the requests and server responses differed, which can be useful for understanding authentication flows or identifying subtle behavioral changes.

Burp Suite Sequencer: Analyzing Randomness

The Sequencer module is used to analyze the randomness and predictability of session tokens (e.g., CSRF tokens, session cookies) to assess their security.

  • Interface: It offers options for “Live Capture” of tokens from requests or “Manual Load” from a file. I needed to specify the exact location of the token within the request (e.g., if it’s in a cookie or a form field).
  • Usage: Sequencer sends thousands of requests to the application to collect numerous tokens. It then analyzes these collected tokens for their randomness and estimates the effective entropy, which is a measure of how unpredictable the tokens are.
  • Example: I captured a “login_token” from a GET request to an admin login page. After running a live capture, the analysis of the token’s randomness resulted in an “excellent” quality of randomness with high effective entropy, indicating a secure token generation mechanism.

Room Answers

BurpSuite: The Repeater

Which sections gives us a more intuitive control over our requests?

Inspector

Which view will populate when sending a request from the Proxy module to Repeater?

request

Which option allows us to visualize the page as it would appear in a web browser?

Render

Which section in Inspector is specific to POST requests?

Body Parameters

What is the flag you receive?

THM{Yzg2MWI2ZDhlYzdlNGFiZTUzZTIzMzVi}

See if you can get the server to error out with a “500 Internal Server Error” code by changing the number at the end of the request to extreme inputs.

What is the flag you receive when you cause a 500 error in the endpoint?

THM{N2MzMzFhMTA1MmZiYjA2YWQ4M2ZmMzh}

Exploit the union SQL injection vulnerability in the site.

What is the flag?

THM{ZGE3OTUyZGMyMzkwNjJmZjg3Mzk1NjJh}

BurpSuite: Other Modules

Which feature attempts auto-decode of the input?

Smart decode


Base64 encode the phrase: Let's Start Simple.

What is the base64 encoded version of this text?
TGV0J3MgU3RhcnQgU2ltcGxl

URL Decode this data: %4e%65%78%74%3a%20%44%65%63%6f%64%69%6e%67.

What is the plaintext returned?
Next: Decoding

Use Smart decode to decode this data: %34%37.

What is the decoded text?
47

Encode this phrase: Encoding Challenge.

Start with base64 encoding. Take the output of this and convert it into ASCII Hex. Finally, encode the hex string into octal.

What is the final string?
24034214a720270024142d541357471232250253552c1162d1206c


Using Decoder, what is the SHA-256 hashsum of the phrase: Let's get Hashing!?

Convert this into an ASCII Hex string for the answer to this question.

6b72350e719a8ef5af560830164b13596cb582757437e21d1879502072238abe

Generate an MD4 hashsum of the phrase: Insecure Algorithms.

Encode this as base64 (not ASCII Hex) before submitting.

TcV4QGZZN7y7lwYFRMMoeA==

Let’s look at an in-context example:

First, download the file attached to this task.

Note: This file can also be downloaded from the deployed VM with wget http://MACHINE_IP:9999/AlteredKeys.zip — you may find this helpful if you are using the AttackBox.

Now read the problem specification below:

“Some joker has messed with my SSH key! There are four keys in the directory, and I have no idea which is the real one. The MD5 hashsum for my key is 3166226048d6ad776370dc105d40d9f8 — could you find it for me?”

key3

What does Sequencer allow us to evaluate?

Entropy


What is the overall quality of randomness estimated to be?

excellent


Are saved requests read-only? (yea/nay)

yea

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles