Comparer

This is a handy utility for performing a visual "diff" between any two items of data, such as pairs of similar HTTP messages.

Assumption:

You have already solved the "Insecure Direct Object References" challenge of Security Shepherd.

Steps:

  1. Assuming that you have completed the first challenge only, i.e., "Insecure Direct Object References", click on the "Get Next Challenge" button.

    Get next challenge

  2. You should see "Poor Data Validation" challenge.

    Poor data validation

  3. Enter 123 in the input field labled as "Enter a Number".

  4. Ensure that intercept mode is enabled in Burp.

    Enable intercept mode in Burp

  5. Click on "Submit Number" button.

  6. Send the intercepted request to Repeater.

    Intercepted request

  7. Click on "Go" button.

    Forward the request in repeater

  8. Modify the request by changing the value of "userdata" parameter to abc.

  9. Click on "Go" button.

    Forward the modified request in repeater

  10. Right-click on the response and select "Send to Comparer".

    Send to comparer

  11. Click on the back arrow to see the previously triggered request.

    See previous request

  12. Right-click on the response and select "Send to Comparer".

    Send the response for previous request to comparer

  13. Switch to the "Comparer" tab.

  14. Select the first item to compare.

  15. Select the second item to compare.

    Compare by words

  16. Click on the button labeled as "Words", to compare the two selected items word-by-word.

    Result of comparison

  17. Go to "Proxy" > "Intercept" tab.

  18. Modify the value of "userdata" input parameter to a negative value, e.g., -123

    Enter a negative value

  19. Click on "Forward" button.

  20. Turn off interception mode by clicking on the "Intercept is on" button.

    Turn off interception

  21. Go to "Proxy" > "HTTP history" tab.

  22. Identify the request that you just modified, and select it in the history window.

    Identify request in HTTP history tab

  23. Click on "Edited request" sub-tab to see the modified request.

    Edited request sub-tab

  24. Click on "Response" sub-tab to see the response to the modified request.

    Response to modified request

  25. In Firefox, click on "Copy to clipboard" button.

    Copy to clipboard

  26. Paste the copied value into the result key input box, and click on "Submit" button.

    Submit result key

  27. You should see a success message on the screen.

    Challenge solved

Last updated

Was this helpful?