Both last-byte synchronization and the single-packet attack are timing attack techniques used to measure response delays more precisely, especially in environments where network conditions (like jitter or congestion) could otherwise skew your results.

These techniques were added to Burp Suite Repeater to improve the accuracy and effectiveness of sending parallel requests, such as in timing-based vulnerability detection. Last-Byte Synchronization (for HTTP/1.x)

With last-byte synchronization, you:

I. Send each request in chunks, delaying the final byte (typically the last part of the body or headers).

II. You then send all final bytes at once.

III. The server receives the last byte of each request at the same time, meaning it starts processing all requests at nearly the same moment.

Single-Packet Attack (for HTTP/2)

HTTP/2 uses streams, allowing multiple concurrent requests over a single TCP connection. To ensure all requests are received and processed by the server simultaneously, in one packet, despite HTTP/2's internal stream multiplexing.

I. The client (Burp) crafts multiple HTTP/2 requests and packs them all into a single network packet.

II. This bypasses HTTP/2 stream prioritization and buffering delays

III. The server receives and begins handling all the requests at the same time, because they all arrived in one packet, minimizing the chance of network delays skewing your results.

This technique was introduced by PortSwigger Research at Black Hat USA 2023 as a powerful way to exploit timing discrepancies or perform more accurate differential analysis.

These Techniques Matter, If you're doing: Timing-based SQLi or blind vulnerabilities, Race condition exploitation and Side-channel attacks (e.g., response delay reveals info)

They let you: Remove jitter and latency noise, Compare responses more accurately and Detect microsecond-level timing differences.