infosecgirls
Appsec
Appsec
  • Introduction
  • Application Details
    • VM - Pre-req
    • Import Virtual Machines
    • Access Mutillidae Web Application
  • INITIAL SETUP WITH OWASP ZAP
    • OWASP ZAP
    • Setup OWASP ZAP
    • Modes
    • Automated Scan
    • Report Generation
  • Initial Setup with Burp
    • Start Burp Suite
    • Add FoxyProxy Addon
    • Add New Proxy In FoxyProxy
    • Configure Proxy Listener
    • Install Burp's CA Certificate In Firefox
    • Getting Rid of Unnecessary Browser Traffic
  • Quick Basics
    • Disable Intercept Mode in Burp
    • Enable Intercept Mode in Burp
    • Send to Repeater
    • Send to Comparer
  • Web Application Pentesting
    • A1 - Injection
      • SQL Injection with bWAPP
      • SQL Injection in DVNA
      • Command Injection in DVNA
    • A2 - Broken Authentication
      • Broken Authentication with bWAPP
    • A3 - Sensitive Data Exposure
      • Sensitive Data Exposure - DVNA
    • A4 - XML External Entities (XXE)
      • XML External Entity (XXE) Injection - Mutillidae
      • XML External Entity (XXE) Injection - DVNA
    • A5 - Broken Access Control
      • Broken Access Control - DVNA
    • A6 - Security Misconfiguration
      • Security Misconfiguration in DVNA
      • Security Misconfiguration in Mutillidae
      • Security Misconfiguration in Security Shepherd
    • A7 - Cross-Site Scripting (XSS)
      • Reflected XSS
      • DOM XSS
      • Stored XSS - Mutillidae
      • XSS - Sending data to remote server
    • A8 - Insecure Deserialization
      • Insecure Deserialization - DVNA
    • A9 - Using Components with Known Vulnerabilities
      • Using Components with Known Vulnerabilities - DVNA
    • 10 - Insufficient Logging & Monitoring
    • References
    • About Us
  • Additional Content
    • Insecure Direct Object Reference
    • Security Misconfiguration
    • Password Guessing Attack
    • User Enumeration
      • Unauthenticated User Access
      • Create a New User
      • Authenticated User Access
      • Intruder: Set Positions
      • Intruder: Define Payload
      • Intruder: Configure Grep - Extract
      • Trigger Attack & Save Results
    • Custom Iterator
    • Null Payload
    • Request in Browser: Privilege Escalation Check
  • Burp Extenders
    • Target
    • Proxy
    • Intruder
    • Repeater
    • Sequencer
    • Decoder
    • Comparer
    • Extender
Powered by GitBook
On this page

Was this helpful?

  1. Burp Extenders

Comparer

PreviousDecoderNextExtender

Last updated 6 years ago

Was this helpful?

This is a handy utility for performing a visual "diff" between any two items of data, such as pairs of similar HTTP messages.

Assumption:

You have already solved the "Insecure Direct Object References" challenge of Security Shepherd.

Steps:

  1. Assuming that you have completed the first challenge only, i.e., "Insecure Direct Object References", click on the "Get Next Challenge" button.

  2. You should see "Poor Data Validation" challenge.

  3. Enter 123 in the input field labled as "Enter a Number".

  4. Ensure that intercept mode is enabled in Burp.

  5. Click on "Submit Number" button.

  6. Send the intercepted request to Repeater.

  7. Click on "Go" button.

  8. Modify the request by changing the value of "userdata" parameter to abc.

  9. Click on "Go" button.

  10. Right-click on the response and select "Send to Comparer".

  11. Click on the back arrow to see the previously triggered request.

  12. Right-click on the response and select "Send to Comparer".

  13. Switch to the "Comparer" tab.

  14. Select the first item to compare.

  15. Select the second item to compare.

  16. Click on the button labeled as "Words", to compare the two selected items word-by-word.

  17. Go to "Proxy" > "Intercept" tab.

  18. Modify the value of "userdata" input parameter to a negative value, e.g., -123

  19. Click on "Forward" button.

  20. Turn off interception mode by clicking on the "Intercept is on" button.

  21. Go to "Proxy" > "HTTP history" tab.

  22. Identify the request that you just modified, and select it in the history window.

  23. Click on "Edited request" sub-tab to see the modified request.

  24. Click on "Response" sub-tab to see the response to the modified request.

  25. In Firefox, click on "Copy to clipboard" button.

  26. Paste the copied value into the result key input box, and click on "Submit" button.

  27. You should see a success message on the screen.

Enable intercept mode in Burp
Forward the request in repeater
Poor data validation
Intercepted request
Get next challenge
Forward the modified request in repeater
Send to comparer
Send the response for previous request to comparer
Compare by words
Enter a negative value
Result of comparison
Turn off interception
Identify request in HTTP history tab
Edited request sub-tab
Response to modified request
Copy to clipboard
See previous request
Submit result key
Challenge solved