Ensure Burp and OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view the OWASP BWA applications.

1. From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
2. Open the Firefox browser to the login screen of OWASP Mutillidae II. From the top menu, click Login.
3. Find the request you just performed within the Proxy | HTTP history table. Look for the call to the login.php page:

4. Make a note of the page parameter that determines the page to load:

Let's see if we can exploit this parameter by providing a URL that is outside the application. For demonstration purposes, we will use a URL that we control in the OWASP BWA VM. However, in the wild, this URL would be attacker-controlled instead.

5. Switch to the Proxy | Intercept tab, and press the Intercept is on button.
6. Return to the Firefox browser, and reload the login page. The request is paused and contained within the Proxy | Intercept tab:

7. Now let's manipulate the value of the page parameter from login.php to a URL that is external to the application. Let's use the login page to the GetBoo application. Your URL will be specific to your machine's IP address, so adjust accordingly. The new URL will be http://<your_IP_address>/getboo/
8. Replace the login.php value with http://<your_IP_address>/getboo/ and click the Forward button: 

9. Now press the Intercept is on again to toggle the intercept button to OFF (Intercept is off).
10. Return to the Firefox browser, and notice the page loaded is the GetBoo index page within the context of the Mutillidae application!