Bulk Send To Repeater Burp Suite Extension
By Karl Schuttler | January XX, 2024 | Application Security
https://en.wikipedia.org/wiki/Pitchfork#/media/File:Two_men_loading_hay_onto_a_rack_drawn_by_tractor_(20886793451).jpg
Burp Suite’s Repeater tool is used heavily during any typical Web Application or API penetration test, allowing the tester to manipulate and resubmit any previous request. The existing Burp Suite interface is limited to support forwarding of only one request at a time to the Repeater tool. As each request is forwarded individually to Repeater, they are populated with a numerical tab title:
The existing tab grouping features are helpful to place multiple tabs within a logically named (and color-coded) structures, but each tab must still be individually double-clicked and renamed if the tester wants to be able to select a specific request in Repeater without riffing through them, looking for a needle in a haystack.
These workflow limitations become particularly cumbersome when performing API testing, which frequently involves a lift-and-shift of requests from an API client (like Postman or Insomnia) into Burp Repeater. Each additional API endpoint scoped for testing has a multiplicative effect on the number of UI management steps that must be performed:
- Submitting the request in the API client to populate it within Burp Proxy
- Selecting the request in Burp Proxy and forwarding it to Repeater
- Switching to the Repeater Tab
- Resubmitting the request to save a baseline positive response within Repeater
- Identifying and performing a copy-paste of some relevant text from the Request for a label
- Double clicking the tab and pasting to save the label
The larger and more complex a test is, the more time that will be spent by the tester juggling and labeling requests within the UI, rather than performing actual security testing. This type of rigid documentation approach is especially important within API tests, which are typically less exploratory than web application tests and require full test coverage within well-scoped assessments, as the entire testing space is generally known by the tester at test start.
To ease this struggle, White Oak Security (Cyber Advisors) is proud to release the Bulk Send To Repeater extension, which is available now within the official Burp Suite BApp Store and from our GitHub page. (https://github.com/WhiteOakSecurity/bulkSendToRepeater).
Make Hay While the Sun Shines
The Bulk Send To Repeater extensions adds context menus to Burp Suite's request viewers, allowing requests to be forwarded to the Repeater tool in large groups.
- Requests may be added using their method and URI as Repeater Tab title (e.g., GET /api/v1/some/endpoint/1), limited to 70 characters, or
- Requests may be added using standard numbering for the Repeater Tab title
Try adding Bulk Send To Repeater to your next Burp Project, and see how it can save you time and effort on your application or API penetration test!
