Research

We build genuine partnerships with our clients

Repeater Panel

The repeater allows for a single HTTP request to be modified by hand and then repeated back to the server. All aspects of the request can be altered from the three views.

The three views consist of:

  • Plain Text – Standard raw HTTP Request

    The exact textural HTTP request that will be sent to the web server can be altered using a text editing box. The content length will be automatically updated when the request is sent. A variety of different encoding options are available under the drop down menu. To use the conversions highlight the text to alter and then either use the right button drop down menu or the short cut keys.

    The encoding options are:

    • URL – Encoding, Decoding, Unicode and Every character
    • Base64 – Encode, Decode
    • HTML / XML – Encode using the & => &
    • Hash – MD5SUM or SHA1 the selection and replace it with the result
    • Hex – ASCII to Hex e.g. A => 41
    • No Quotes - Alters the text into a string of MySQL, SQL Server, Oracle or JavaScript without using quotes e.g. using a character concatenation representations e.g. XSS => String.fromCharCode(88,83,83) (JavaScript)
    • Numeric – Hex to Decimal, Decimal to Hex
    • The editor also allows for areas of the request to be highlighted in different colours. These colours will then be interpreted when the request is sent and these areas converted. The screenshot above shows areas highlighted in blue which will be URL encoded before being sent. The following screenshot shows the options supported.
  • Hex View – For binary manipulations
  • Parameter View – Only the GET, POST, MIME and Cookie values are show in a list so they can be altered individually. These values can be double clicked to show only single individual value. From this view the value will be URL encoded before sending and also the colour encoding options mentioned above are also available. This is useful when exploiting a single parameter e.g. SQL injection and the rest of the request is not important.
  • Silverlight WCF view which shows the XML version of the request for valid WCF requests. This can be edited and then sent to the server. It will be automatically encoded into the binary format.

The response can be viewed in different forms (note that these apply across CAT when HTTP request/responses are shown):

  • Request Text – The actual text sent including any conversations specified
  • Request Hex – Hex view of the request
  • Parameters – A list of the GET, POST, MIME and Cookies sent.
  • Response Text – A syntax highlighted view of the actual text in the response
  • Response HTML – A rendered view of the HTML, this uses the Internet Explorer rendering engine and will download any resources needed (such as JavaScript, Images, CSS etc.). Furthermore this view can be interacted with so links can be followed (See limitations).
  • Response Hex – For binary view of the actual response.
  • Show Info – Various meta information about the request include the duration, sizes, server etc.
  • Extracted Content – Shows a decoded ViewState and any HTML comments that are on the page. This information can also be extracted across multiple requests, see log.
  • Silverlight WCF Encoding – If the request or response is in WCF format (as indicated by the content-type) then CAT will decode the WCF into XML format and display the request and response in an extra tab.

The log tab keeps a record of each request that has been sent through this repeater. This is a standard HTTP log which is used throughout CAT. See Section Log View for more details.

How we can help

We are an independent security consultancy, specialising in both technical security and information assurance services.

Get in touch with us

CAT

Our new flagship
tool CAT is perfect
for identifying application
security vulnerabilities.

More about CAT

 

Website Design : Design by Structure.