Manual Pentest Tools
Repeater, Intruder, and Interceptor — PhantomYerra's built-in tools for hands-on manual testing. Edit and resend HTTP requests, fuzz parameters with attack payloads, and capture live traffic with full evidence hashing.
Repeater — HTTP Request Editor
The Repeater lets you take any HTTP request, modify it by hand, send it, and inspect the raw response. This is the fundamental tool for manual vulnerability confirmation — when the scanner finds something interesting, you use the Repeater to understand exactly what is happening and craft a proof-of-concept.
Features
- Raw request editing — Full control over method, URL, headers, and body. Edit any part of the request before sending.
- Response viewer — Raw response with syntax highlighting. Toggle between raw, headers-only, and rendered HTML views.
- JSON pretty-printing — JSON responses are automatically formatted and syntax-highlighted. Collapsible tree view for large payloads.
- Response timing — Precise round-trip time displayed for every request. Essential for confirming time-based blind injection (SLEEP/WAITFOR/pg_sleep).
- Request history — Every request/response pair is saved with a timestamp. Navigate back through your testing history. Compare any two responses side-by-side.
- Send to Intruder — One click to move the current request to the Intruder with the request pre-loaded. Mark injection points directly from the Repeater.
- Evidence capture — Every request/response pair is SHA-256 hashed and timestamped. One click to attach the pair as finding evidence.
Workflow: Confirming a SQLi Finding
-
1
Load the Finding
From the scan findings list, click a SQL injection finding. Click Send to Repeater. The original request (the one that triggered the finding) loads into the Repeater with headers and body intact.
-
2
Send the Original Request
Click Send (or press Ctrl+Enter). Observe the response. Note the status code, response size, and response time. This is your baseline.
-
3
Modify the Payload
Edit the injection point in the request. For time-based SQLi confirmation:
Original: GET /api/items?id=1 Modified: GET /api/items?id=1' AND SLEEP(5)-- Expected: response time increases by ~5 seconds Baseline: 120ms | With SLEEP: 5,130ms = CONFIRMED -
4
Capture Evidence
Click Capture as Evidence. The request/response pair is saved with SHA-256 hash and RFC 3161 timestamp. Attach to the finding for the report.
Intruder — Payload Fuzzer
The Intruder automates sending many variations of a request to find vulnerabilities through payload injection. Mark specific values in the request as injection points, choose a payload list, select an attack mode, and let the Intruder fire hundreds or thousands of modified requests while tracking every response.
Marking Injection Points
In the request editor, wrap any value you want to fuzz with the § delimiter:
Four Attack Modes
| Mode | Positions | Behavior | Use Case |
|---|---|---|---|
| Sniper | One at a time | Iterates through one payload list. Tests each payload in each position sequentially — while other positions hold their original values. | Testing which parameter is vulnerable. 3 positions x 100 payloads = 300 requests. |
| Battering Ram | All simultaneously | Same payload inserted into ALL positions at the same time. Iterates through one payload list. | When the same value appears in multiple places (e.g., username in body AND header). 100 payloads = 100 requests. |
| Pitchfork | Parallel lists | Each position gets its own payload list. Payloads are used in lockstep — payload 1 from list A with payload 1 from list B, then payload 2 from each, etc. | Credential stuffing: list A = usernames, list B = passwords (matched pairs). 100 pairs = 100 requests. |
| Cluster Bomb | All combinations | Every possible combination of payloads across all positions. Cartesian product of all payload lists. | Brute-force: test every username against every password. 100 usernames x 100 passwords = 10,000 requests. |
Payload Lists
PhantomYerra ships with built-in payload lists for common attack types. You can also load custom wordlists or generate payloads dynamically.
| Category | Lists Included |
|---|---|
| SQL Injection | MySQL, MSSQL, PostgreSQL, Oracle, NoSQL — error-based, blind, time-based, UNION |
| XSS | Reflected, DOM, polyglot, event handlers, CSP bypass, WAF bypass |
| SSTI | Jinja2, Twig, Freemarker, Velocity, Pebble, Mako, Smarty |
| Path Traversal | Linux, Windows, URL-encoded, double-encoded, null byte |
| Command Injection | Linux, Windows, encoded, concatenation, substitution |
| Wordlists | Directories (common, big, raft-medium), files, parameters, subdomains, vhosts |
| Credentials | Default logins, top passwords, common usernames, device defaults |
| Fuzzing | Integers, special characters, long strings, format strings, null bytes |
Response Filtering and Analysis
With hundreds or thousands of responses, you need filters to find the interesting ones. The Intruder provides:
- Status code filter — Show only 200s, only 500s, only responses that differ from baseline status
- Response length filter — Highlight responses with significantly different body length (indicates behavior change)
- Response time filter — Flag responses that took significantly longer (time-based injection confirmation)
- Content match — Highlight responses containing specific strings (error messages, extracted data, injected content)
- Diff view — Compare any response against the baseline response. Character-level diff highlighting.
- Auto-flag — PhantomYerra automatically flags responses that show signs of successful injection: SQL errors, reflected input, timing anomalies, different redirects
Interceptor — Traffic Capture
The Interceptor captures live HTTP/HTTPS traffic during scans and manual browsing, giving you full visibility into every request and response. It serves as both a diagnostic tool (see exactly what PhantomYerra is sending) and an attack tool (modify and replay captured requests).
Capture Modes
| Mode | Description |
|---|---|
| Passive Capture | Records all HTTP traffic passing through PhantomYerra's proxy without modification. View requests and responses in real time as scans run. |
| Active Intercept | Pauses each request before it is sent, allowing you to modify the request in-line. Resume to send, or drop to cancel. Essential for testing specific modifications during authenticated browsing. |
| Scan Monitor | Captures only traffic generated by PhantomYerra's scan engine. Filters out browser traffic. Shows exactly what each scanner module is testing. |
Traffic Analysis Features
- Request/response pairing — Every request is matched with its response. Click any entry to see both.
- Replay with modifications — Select any captured request, modify it (change a parameter, add a header, swap a cookie), and send it. The modified response appears alongside the original for comparison.
- Diff original vs. modified — Side-by-side diff showing exactly what changed between the original response and the response to your modified request. Character-level highlighting of differences.
- Filter by host, method, status, content-type — Narrow down thousands of captured requests to find the ones relevant to your investigation.
- Search across all captured traffic — Full-text search across request and response bodies. Find every request that mentions a specific parameter, token, or error message.
- Export to Repeater / Intruder — Right-click any captured request to send it to the Repeater for editing or to the Intruder for fuzzing.
SHA-256 Evidence Hashing
Every captured request/response pair is automatically hashed with SHA-256 the moment it is captured. This creates an immutable evidence record:
End-to-End Workflow
The three tools integrate into a seamless manual testing workflow. Every step preserves evidence and maintains the chain of custody.
-
1
Finding Triggers Investigation
An automated scan finding or an interesting Interceptor capture triggers manual investigation. From the finding detail view or the Interceptor, click Send to Repeater.
-
2
Repeater: Understand the Behavior
In the Repeater, send the original request to establish a baseline. Then modify the suspected vulnerable parameter with test payloads. Observe how the response changes. Confirm or rule out the vulnerability.
-
3
Intruder: Scale the Test
If the Repeater confirms a behavior change, click Send to Intruder. Mark the injection point. Load the appropriate payload list. Run Sniper mode to test a full payload set and identify the exact conditions for exploitation.
-
4
Confirm and Capture Evidence
From the Intruder results, identify the successful payload. Click to open in Repeater. Send the final proof-of-concept request. Capture the request/response pair as evidence with SHA-256 hash.
-
5
Attach to Finding and Report
The evidence is automatically attached to the associated finding. When you generate the report, the finding includes the full PoC request, the response, the hash, and the timestamp — ready for client delivery.
Integration with Automated Scans
- Findings from any automated scan can be sent to the Repeater with one click
- The Interceptor shows all traffic generated during automated scans in real time
- Manual findings created through these tools appear in the same report alongside automated findings
- Evidence hashing is consistent across manual and automated findings
- The attack graph includes both automated and manual findings in the same chain analysis
Common Issues
The PhantomYerra proxy CA certificate must be installed in your browser or system trust store. Go to Settings → Proxy → Export CA Certificate and import it. For Firefox, import via Preferences → Privacy → View Certificates → Import. For Chrome/Edge, import via the OS certificate store.
Cluster Bomb generates the Cartesian product of all payload lists. 100 x 100 x 100 = 1,000,000 requests. Reduce the payload lists or switch to Pitchfork mode if you have matched pairs. You can also increase the thread count in Intruder → Settings → Threads (default: 10, max: 100).
Network latency varies. For time-based injection confirmation, send the baseline request 3–5 times and note the average response time. Then send the SLEEP/WAITFOR payload and compare. A consistent increase matching the delay value (e.g., baseline 150ms, payload with SLEEP(5) = 5,150ms) confirms the injection regardless of network jitter.
The Repeater accepts raw HTTP request paste. Copy a request from any tool (curl, browser dev tools, other proxies) and paste it directly into the request editor. PhantomYerra parses the method, URL, headers, and body automatically. You can also import from a file: Repeater → Import → From File (supports raw HTTP, curl command, and HAR format).