LabEx
Log InJoin Free

Compare Two Requests in Burp Comparer

Beginner
Practice Now

Introduction

Burp Suite is a powerful set of tools for web application security testing. One of its most useful features is Burp Comparer, a tool for performing a visual "diff" of any two pieces of data, such as HTTP requests or responses. This is incredibly helpful for identifying subtle differences that might reveal vulnerabilities, such as changes in session tokens, hidden form fields, or error messages.

In this lab, you will learn the basic workflow of using Burp Comparer. You will capture two similar HTTP requests using the Burp Proxy, send them to the Comparer tool, and then analyze the highlighted differences.

Find Two Similar Requests in Your Proxy History

In this step, you will launch Burp Suite and a web browser to generate two similar login requests. These requests will then be used for comparison.

First, launch the required applications. You can find both Burp Suite and the Chromium Web Browser on the desktop.

  1. Double-click the Burp Suite icon on the desktop to start it. If a dialog box appears, you can use the default settings and click Next and then Start Burp.
  2. Double-click the Chromium Web Browser icon on the desktop.

Next, you need to capture some traffic. We will attempt to log in to a fictional website twice with different credentials.

  1. In Burp Suite, navigate to the Proxy tab, and within it, the Intercept sub-tab. If the button says Intercept is off, click it so it changes to Intercept is on.
  2. In the Chromium browser, navigate to the following address: http://www.google.com. You will see the request get "stuck" in Burp Suite.
  3. Go back to Burp Suite. You will see the captured request. For this lab, we don't need to modify it. Just click the Forward button to let the request proceed. Repeat this a few times until the Google homepage loads in your browser.
  4. Now, let's generate our target requests. In the browser, search for "login page example". Click on any result that provides a simple login form. For this example, let's assume you found a page and entered user1 for the username and pass1 for the password. Click the login button.
  5. Go back to Burp Suite and click Forward to let the login request pass.
  6. Return to the browser and enter different credentials, such as user2 and pass2, and click the login button again.
  7. Go back to Burp Suite and click Forward one more time.

Now that you have generated the traffic, you can find the requests in your proxy history.

In Burp Suite, go to the Proxy tab and then the HTTP history sub-tab. Here you will see a log of all the requests that have passed through the proxy. Look through the list to find the two POST requests to the login page you used. These are the two requests we will compare in the next steps.

Right-Click the First Request and 'Send to Comparer'

In this step, you will send the first of the two login requests to the Comparer tool.

Stay within the Proxy -> HTTP history tab in Burp Suite, where you can see the list of captured requests.

  1. Locate the first login request you made (e.g., the one containing the credentials user1 and pass1).
  2. Right-click on that specific request in the history list. This will open a context menu with many options.
  3. From this context menu, find and select the option Send to Comparer.

This action takes a copy of the selected request and loads it into the Comparer tool. The Comparer tab at the top of the Burp Suite window should now be highlighted or change color, indicating that it has received new data. You can click on the Comparer tab to confirm that one item has been loaded.

Right-Click the Second Request and 'Send to Comparer'

Now, you will send the second login request to the Comparer tool. This will provide the second item needed for the comparison.

  1. Navigate back to the Proxy -> HTTP history tab.
  2. Locate the second login request you made (e.g., the one containing the credentials user2 and pass2).
  3. Right-click on this second request in the history list.
  4. From the context menu that appears, select Send to Comparer again.

After you perform this action, the Comparer tab will now contain both requests. If you switch to the Comparer tab, you will see two items listed, ready to be compared.

In Comparer, Select the Two Items and Click 'Words' to Compare

With both requests loaded into Comparer, you are now ready to perform the actual comparison.

  1. Navigate to the Comparer tab in Burp Suite.
  2. At the top of the Comparer interface, you will see a list of the items you have sent. It should show two items.
  3. Select both items. You can do this by first clicking on the first item, then holding down the Ctrl key and clicking on the second item. Both should now be highlighted.
  4. At the bottom of the window, you will see comparison options. The two main options are Words and Bytes. The Words comparison is ideal for text-based data like HTTP requests because it analyzes differences on a word-by-word basis, making the output very readable. The Bytes comparison performs a byte-level diff, which is more suitable for binary data.
  5. Click the Words button to initiate the comparison.

Burp Suite will now process the two requests and prepare a side-by-side visual comparison.

Analyze the Highlighted Differences Between the Requests

In this final step, you will analyze the results of the comparison to understand what changed between the two requests.

After you clicked Words in the previous step, the main panel in the Comparer tab will update to show the two requests side-by-side. Burp Comparer uses a color-coding system to make differences easy to spot:

  • Yellow: Highlights modified data.
  • Pink: Highlights added data.
  • Blue: Highlights deleted data.

Scroll through the two request panels. The scroll bars on the side will also have color markers to help you quickly jump to the locations of changes.

You should be able to clearly see the differences in the request body. The values for the username and password parameters (user1 vs. user2 and pass1 vs. pass2) will be highlighted in yellow, indicating they were modified.

Depending on the web application, you might also notice other differences. For example:

  • The Content-Length header might be different if the new parameter values have a different length.
  • A Cookie header might have changed if the server assigned a new session ID.

By analyzing these highlighted differences, you can quickly understand how a web application responds to different inputs. This is a fundamental technique for discovering a wide range of security vulnerabilities.

Summary

In this lab, you have learned the fundamental workflow of using Burp Comparer to analyze HTTP requests. You successfully generated network traffic, isolated two similar requests from your proxy history, and sent them to the Comparer tool. By performing a word-based comparison, you were able to visually identify the exact differences between the two requests.

This skill is essential for many web security testing tasks, such as analyzing authentication mechanisms, testing for parameter tampering, and identifying potential injection points by observing how an application's response changes with different inputs.