For this recipe, we will use OWASP Bricks. The following are the steps required:

1. Go to the first of the content exercises (http://192.168.56.11/owaspbricks/content-1/).
2. In Burp Suite, go to Proxy | History, locate a GET request that has an id=0 or id=1 at the end of the URL, right-click on it, and from the menu select Send to Repeater:

3. Now we switch to the Repeater tab.

4. In Repeater, we can see the original request on the left side. Let's click on Go to view the server's response on the right side:

Analyzing the request and response, we can see that the parameter we sent (id=1) was used by the server to look for a user with that same ID, and the information is displayed in the response's body.

5. So, this page in the server expects a parameter called ID, with a numeric parameter that represents a user ID. Let's see what happens if the application receives a letter instead of a number:

The response is an error showing information about the database (MySQL), the parameter types expected, the internal path of the file, and the line of code that caused the error. This displaying of detailed technical information by itself suggests a security risk.

6. So, if the expected value is a number, let's see what happens if we send an arithmetic operation. Change the id value to 2-1:

As can be seen, the operation was executed by the server and it returned the information corresponding to the user ID 1, which is the result of our operation. This suggests that this application may be vulnerable to injection attacks. We'll dig more into them in Chapter 6, Exploiting Injection Vulnerabilities.