Comparer

This is a handy utility for performing a visual "diff" between any two items of data, such as pairs of similar HTTP messages.

Assumption:

You have already solved the "Insecure Direct Object References" challenge of Security Shepherd.

Steps:

1. Assuming that you have completed the first challenge only, i.e., "Insecure Direct Object References", click on the "Get Next Challenge" button.

   

2. You should see "Poor Data Validation" challenge.

   

3. Enter 123 in the input field labled as "Enter a Number".

4. Ensure that intercept mode is enabled in Burp.

   

5. Click on "Submit Number" button.

6. Send the intercepted request to Repeater.

   

7. Click on "Go" button.

   

8. Modify the request by changing the value of "userdata" parameter to abc.

9. Click on "Go" button.

   

10. Right-click on the response and select "Send to Comparer".

    

11. Click on the back arrow to see the previously triggered request.

    

12. Right-click on the response and select "Send to Comparer".

    

13. Switch to the "Comparer" tab.

14. Select the first item to compare.

15. Select the second item to compare.

    

16. Click on the button labeled as "Words", to compare the two selected items word-by-word.

    

17. Go to "Proxy" > "Intercept" tab.

18. Modify the value of "userdata" input parameter to a negative value, e.g., -123

    

19. Click on "Forward" button.

20. Turn off interception mode by clicking on the "Intercept is on" button.

    

21. Go to "Proxy" > "HTTP history" tab.

22. Identify the request that you just modified, and select it in the history window.

    

23. Click on "Edited request" sub-tab to see the modified request.

    

24. Click on "Response" sub-tab to see the response to the modified request.

    

25. In Firefox, click on "Copy to clipboard" button.

    

26. Paste the copied value into the result key input box, and click on "Submit" button.

    

27. You should see a success message on the screen.