Burp Suite Repeater -- An Essential Pentester's Tool

Welcome to my cybersecurity awareness blog where I share insights I’ve learned on my cybersecurity journey.

Today, I took a deep dive into Burp Suite, a popular tool used by pentesters to modify requests and send them, giving them the opportunity to view different results depending on the input.

Burp Suite Repeater Module

The Burp Suite Repeater module gives you the opportunity to manipulate requests and resend them in Burp Suite, and view the differing responses depending on the request you made. This is essential, as it makes it easier to find potential vulnerabilities and what triggers their appearance.

In the “Burp Suite Repeater” room on TryHackMe, I got the opportunity to experiment with modifying requests using the “Inspector tab”, which can be seen on the right side of the screen in the image below. After adding an additional header setting “FlagAuthorised” to “True” and resending the request, I got a different response, one where I was able to view the THM flag and continue on with the room. This demonstrated the power of modifying requests in Burp Suite Repeater, as well as the importance of implementing input validation.

In the second challenge in the room, I intercepted the request of a DOR (direct object reference) in order to see if the endpoint was properly validated — as in the case of it not being properly validated, I might be able to access something sensitive / that I am not authorized to access, breaching confidentiality, one of the pillars of the CIA (Confidentiality, Integrity, Availability) triad.

Now, I will try out different values on the endpoint to see if the values are properly validated. As we can see below, when I do -1, we get the 500 Server error, which shows that the values on the endpoint are not properly validated. Upon reading the source code, I found the flag✅.

Our next challenge is to try to use SQLi to access sensitive information.

We will first see if the endpoint is succeptible to SQLi by puttint an apostrophe at the end.

As we can see from the response, it is, as we have gotten an internal server error:

From the error message, we could learn more about the database schema, such as what the table name is and how many columns there are.

Through changing the query to the following, I was able to get a flag:

0 UNION ALL SELECT notes,null,null,null,null FROM people WHERE id = 1