We covered other components of BurpSuite such as BurpSuite Repeater, BurpSuite Sequencer, BurpSuite Encoder/Decoder & BurpSuite Comparer. Additionally, we covered BurpSuite extensions along with practical examples covered from TryHackMe other modules & Repeater room.

Burp Suite Practical Notes

The Complete Practical Web Application Penetration Testing Course


Burp Suite is a Java-based framework designed and developed to manually conduct web application penetration testing.

Burp Suite Repeater enables us to modify and resend intercepted requests to a target of our choosing. It allows us to take requests captured in the Burp Proxy and manipulate them, sending them repeatedly as needed which allow pentesters to manually explore and test websites and endpoints.

The BurpSuite Decoder doesn not only decode data intercepted during an attack but also provides the function to encode our own data, prepping it for transmission to the target. Decoder also allows us to create hashsums of data, as well as providing a Smart Decode feature, which attempts to decode provided data recursively until it is back to being plaintext.

The comparer lets us compare two strings to find the differences either by spotting the modified/added words or bytes.

Room Answers

BurpSuite: The Repeater

Which sections gives us a more intuitive control over our requests?


Which view will populate when sending a request from the Proxy module to Repeater?


Which option allows us to visualize the page as it would appear in a web browser?


Which section in Inspector is specific to POST requests?

Body Parameters

What is the flag you receive?


See if you can get the server to error out with a “500 Internal Server Error” code by changing the number at the end of the request to extreme inputs.

What is the flag you receive when you cause a 500 error in the endpoint?


Exploit the union SQL injection vulnerability in the site.

What is the flag?


BurpSuite: Other Modules

Which feature attempts auto-decode of the input?

Smart decode

Base64 encode the phrase: Let's Start Simple.

What is the base64 encoded version of this text?

URL Decode this data: %4e%65%78%74%3a%20%44%65%63%6f%64%69%6e%67.

What is the plaintext returned?
Next: Decoding

Use Smart decode to decode this data: %34%37.

What is the decoded text?

Encode this phrase: Encoding Challenge.

Start with base64 encoding. Take the output of this and convert it into ASCII Hex. Finally, encode the hex string into octal.

What is the final string?

Using Decoder, what is the SHA-256 hashsum of the phrase: Let's get Hashing!?

Convert this into an ASCII Hex string for the answer to this question.


Generate an MD4 hashsum of the phrase: Insecure Algorithms.

Encode this as base64 (not ASCII Hex) before submitting.


Let’s look at an in-context example:

First, download the file attached to this task.

Note: This file can also be downloaded from the deployed VM with wget http://MACHINE_IP:9999/AlteredKeys.zip — you may find this helpful if you are using the AttackBox.

Now read the problem specification below:

“Some joker has messed with my SSH key! There are four keys in the directory, and I have no idea which is the real one. The MD5 hashsum for my key is 3166226048d6ad776370dc105d40d9f8 — could you find it for me?”


What does Sequencer allow us to evaluate?


What is the overall quality of randomness estimated to be?


Are saved requests read-only? (yea/nay)


Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles