# Comparer

This is a handy utility for performing a visual "diff" between any two items of data, such as pairs of similar HTTP messages.

**Assumption:**

You have already solved the "Insecure Direct Object References" challenge of Security Shepherd.

**Steps:**

1. Assuming that you have completed the first challenge only, i.e., "Insecure Direct Object References", click on the "Get Next Challenge" button.

   ![Get next challenge](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwmiKqj5kUnpZsg0%2F149-comparer.png?generation=1547571287644440\&alt=media)
2. You should see "Poor Data Validation" challenge.

   ![Poor data validation](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwmkrS-qMij6TD2K%2F150-comparer-poor-data-validation.png?generation=1547571289351413\&alt=media)
3. Enter `123` in the input field labled as "Enter a Number".
4. Ensure that intercept mode is enabled in Burp.

   ![Enable intercept mode in Burp](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwmmbHSa8vQOfkWH%2F151-comparer-burp-intercept-on.png?generation=1547571286475826\&alt=media)
5. Click on "Submit Number" button.
6. Send the intercepted request to Repeater.

   ![Intercepted request](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwmoHW5hOdNTxKJz%2F152-comparer-intercepted-request.png?generation=1547571290186477\&alt=media)
7. Click on "Go" button.

   ![Forward the request in repeater](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwmqltYLCRgVuASe%2F153-comparer-go.png?generation=1547571287303768\&alt=media)
8. Modify the request by changing the value of "userdata" parameter to `abc`.
9. Click on "Go" button.

   ![Forward the modified request in repeater](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwms-ME7EtN2jDqV%2F154-comparer-modify-go.png?generation=1547571287385896\&alt=media)
10. Right-click on the response and select "Send to Comparer".

    ![Send to comparer](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwmuidy-BspZASJz%2F155-send-to-comparer.png?generation=1547571287320360\&alt=media)
11. Click on the back arrow to see the previously triggered request.

    ![See previous request](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwmwLzku6Q2IZ1xM%2F156-comparer-previous-request.png?generation=1547571290733170\&alt=media)
12. Right-click on the response and select "Send to Comparer".

    ![Send the response for previous request to comparer](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwmyBgapN776EVYd%2F157-send-to-comparer-previous-request.png?generation=1547571294143090\&alt=media)
13. Switch to the "Comparer" tab.
14. Select the first item to compare.
15. Select the second item to compare.

    ![Compare by words](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwn-WInKjcgiMy3n%2F158-comparer-words%20\(1\).png?generation=1547571289419164\&alt=media)
16. Click on the button labeled as "Words", to compare the two selected items word-by-word.

    ![Result of comparison](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwn1_KeC5NTE0HH1%2F159-comparer-result%20\(1\).png?generation=1547571286528059\&alt=media)
17. Go to "Proxy" > "Intercept" tab.
18. Modify the value of "userdata" input parameter to a negative value, e.g., `-123`

    ![Enter a negative value](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwn3ZKWo2kGxWxT6%2F163-comparer-negative-value.png?generation=1547571289655946\&alt=media)
19. Click on "Forward" button.
20. Turn off interception mode by clicking on the "Intercept is on" button.

    ![Turn off interception](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwn5s5dUSlQKJ8ac%2F164-comparer-intercept-off.png?generation=1547571287684510\&alt=media)
21. Go to "Proxy" > "HTTP history" tab.
22. Identify the request that you just modified, and select it in the history window.

    ![Identify request in HTTP history tab](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwn723tTbJu1SvZG%2F165-comparer-identify-request-in-history.png?generation=1547571287259699\&alt=media)
23. Click on "Edited request" sub-tab to see the modified request.

    ![Edited request sub-tab](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwn9_BQxo4ZFeljY%2F166-comparer-edited-request.png?generation=1547571290355271\&alt=media)
24. Click on "Response" sub-tab to see the response to the modified request.

    ![Response to modified request](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwnBN-PCmIrIhTSb%2F167-comparer-see-response.png?generation=1547571287309615\&alt=media)
25. In Firefox, click on "Copy to clipboard" button.

    ![Copy to clipboard](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwnDGoDENvLqtVau%2F168-comparer-copy-to-clipboard.png?generation=1547571287075952\&alt=media)
26. Paste the copied value into the result key input box, and click on "Submit" button.

    ![Submit result key](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwnFfK-UHsbWKETT%2F169-comparer-submit-result-key.png?generation=1547571286917391\&alt=media)
27. You should see a success message on the screen.

    ![Challenge solved](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwnH0fjLX1HsZi7j%2F170-comparer-challenge-solved.png?generation=1547571294411438\&alt=media)