Repeater — HTTP Request Editor & Replayer
Craft, send, and analyze individual HTTP requests with full control over every header, parameter, and cookie. The Repeater is your primary tool for manual vulnerability confirmation — take a suspicious request, modify it, resend it, and study the response.
Overview
The Repeater is the manual testing workhorse. Whenever the scanner flags a potential vulnerability, or when you spot an interesting endpoint in the Interceptor, you send the request to the Repeater for hands-on investigation. Unlike automated scanning, the Repeater gives you precise control — you choose exactly what to change, when to send, and how to interpret the result.
Core Capabilities
- Raw request editing — Full control over method, URL, HTTP version, headers, cookies, and body. Edit any byte of the request.
- Multi-tab workspace — Open multiple Repeater tabs simultaneously. Each tab holds an independent request/response pair. Name tabs for organization.
- Response analysis — View responses as raw text, formatted HTML, JSON tree, or hex dump. Toggle between views instantly.
- Response comparison — Select any two responses from your history and compare them side-by-side with diff highlighting.
- Timing analysis — Precise round-trip time for every request. Essential for confirming time-based blind injection.
- Request history — Every request/response pair is saved chronologically. Navigate backward and forward through modifications.
- Evidence capture — One-click SHA-256 hashing and RFC 3161 timestamping of any request/response pair for evidence-grade documentation.
- Send to Intruder — Promote any request to the Intruder for automated fuzzing with marked injection points.
Replaying Requests
Sending a Request
-
1
Load a Request
Get a request into the Repeater by any of these methods:
- From scan findings: click a finding → Send to Repeater
- From Interceptor: right-click a request in HTTP History → Send to Repeater
- From Interceptor: press Ctrl+R on an intercepted request
- Manual entry: type or paste a raw HTTP request directly into the editor
-
2
Review the Request
The request appears in the left panel with syntax highlighting. Verify the target host, method, path, headers, and body are correct.
-
3
Send
Click Send or press Ctrl+Enter. The response appears in the right panel with status code, headers, body, and timing.
-
4
Analyze the Response
Switch between response views using the tabs at the top of the response panel:
- Raw — Complete HTTP response including status line and headers
- Headers — Response headers only, with security header analysis
- Body — Response body with syntax highlighting (JSON, HTML, XML)
- Rendered — HTML body rendered in a sandboxed iframe
- Hex — Hexadecimal dump of the response body
Modifying Parameters
The power of the Repeater is in modification. Change any part of the request and resend to test different attack vectors.
Common Modifications
| What to Change | Test Scenario | Example |
|---|---|---|
| Query parameters | SQL injection, IDOR | Change ?id=1 to ?id=1' OR 1=1-- |
| JSON body values | Mass assignment, type juggling | Add "role":"admin" to a user update request |
| Cookie values | Session fixation, auth bypass | Decode JWT, change sub claim, re-encode |
| HTTP method | Method override bypass | Change GET to PUT or add X-HTTP-Method-Override: DELETE |
| Content-Type | Parser differential | Change application/json to application/xml |
| Authorization header | Horizontal privilege escalation | Replace with another user's token |
| Path segments | Path traversal, access control | Change /api/users/me to /api/users/admin |
Comparing Responses
Response comparison is critical for confirming vulnerabilities. A response that differs in length, status code, or content when you inject a payload (versus the baseline) is a strong indicator.
How to Compare
-
1
Send the Baseline
Send the original, unmodified request. Note the response status, length, and content. This is your baseline for comparison.
-
2
Send the Modified Request
Change the parameter you are testing and send again. Note any differences in the response.
-
3
Open Comparison View
Click Compare (or Ctrl+D). Select the two responses from the history dropdown. PhantomYerra shows a side-by-side diff with:
- Added lines highlighted in green
- Removed lines highlighted in red
- Changed characters highlighted inline
- Status code, length, and timing comparison at the top
Session Handling
Many applications require valid session tokens. The Repeater supports automatic session management so your requests do not fail due to expired tokens.
Session Options
- Cookie jar — PhantomYerra maintains a shared cookie jar. Cookies set by any response are automatically included in subsequent requests to the same domain.
- Auto-refresh tokens — Define a login macro (a sequence of requests that obtains a fresh session token). When the Repeater detects an expired session (e.g., 401 response), it automatically runs the macro and retries with the new token.
- Bearer token management — For APIs using Bearer tokens: configure the token source (login endpoint, OAuth flow) and PhantomYerra refreshes it automatically when expired.
- Multi-user testing — Maintain multiple session profiles (User A, User B, Admin). Switch between profiles to test access control without re-authenticating each time.
Encoding & Decoding Helpers
The Repeater includes built-in encoding and decoding utilities. Select any text in the request or response editor and apply transformations.
Available Transformations
| Transformation | Encode | Decode | Use Case |
|---|---|---|---|
| URL | %27%20OR%201%3D1 | ' OR 1=1 | Query parameter injection |
| Base64 | YWRtaW46cGFzc3dvcmQ= | admin:password | Authorization headers, tokens |
| HTML Entity | <script> | <script> | XSS payload encoding |
| Hex | 0x61646d696e | admin | Binary protocol parameters |
| Unicode | \u0061\u0064\u006d | adm | WAF bypass via unicode normalization |
| JWT Decode | — | Header + payload + signature | Inspect and modify JWT claims |
| Gzip | Compressed bytes | Decompressed text | Compressed request/response bodies |
| Hash (MD5/SHA) | Hash digest | — | Verify checksums, generate hash payloads |
Using Transformations
Select text in the editor → right-click → Transform → choose the transformation. Or use the keyboard shortcut Ctrl+Shift+T to open the transformation dialog. Chain multiple transformations: select text, apply URL decode, then Base64 decode, to fully unwrap a doubly-encoded parameter.
Advanced Tips
- Tab naming — Double-click a Repeater tab name to rename it. Use descriptive names like "SQLi-login", "IDOR-profile", "SSRF-webhook" to organize your testing.
- Follow redirects — Toggle the Follow Redirects option to automatically follow 3xx responses. When off, you see each redirect step individually.
- Auto-update Content-Length — PhantomYerra automatically recalculates the
Content-Lengthheader when you modify the body. This prevents request failures due to mismatched lengths. - TLS configuration — Override TLS settings per tab: force TLS 1.2, disable certificate validation, use client certificates. Useful for testing APIs with mutual TLS.
- HTTP/2 support — The Repeater supports HTTP/2 natively. Toggle between HTTP/1.1 and HTTP/2 to test for protocol-specific vulnerabilities (e.g., HTTP/2 request smuggling).
- Connection reuse — By default, each send creates a new connection. Enable Keep-Alive to reuse the connection across requests, which is faster and can reveal race conditions.
Keyboard Shortcuts
| Shortcut | Action |
|---|---|
| Ctrl+Enter | Send request |
| Ctrl+Shift+I | Send to Intruder |
| Ctrl+E | Capture as evidence |
| Ctrl+H | Toggle request history panel |
| Ctrl+D | Compare two responses (diff view) |
| Ctrl+Shift+T | Open transformation dialog |
| Ctrl+N | New Repeater tab |
| Ctrl+W | Close current tab |
| Ctrl+Tab | Switch to next tab |
| Ctrl+Shift+Tab | Switch to previous tab |