Burp Comparer Documentation
Burp Comparer is a simple tool for performing a comparison (a visual "diff")
between any two items of data. Some common uses for Burp Comparer are as
- When looking for username enumeration conditions, you can compare
responses to failed logins using valid and invalid usernames, looking
for subtle differences in the responses.
- When an Intruder attack has resulted in some very large responses
with different lengths than the base response, you can compare these to
quickly see where the differences lie.
- When comparing the site maps or
Proxy history entries generated by
different types of users, you can compare pairs of similar requests to
see where the differences lie that give rise to different application
- When testing for blind SQL injection bugs using Boolean condition
injection and other similar tests, you can compare two responses to see
whether injecting different conditions has resulted in a relevant
difference in responses.
Loading Raw Data
You can load data into Comparer in the following ways:
- Paste it directly form the clipboard.
- Load it from file.
- Select data anywhere within Burp, and choose "Send to Comparer" from
the context menu.
Each item of loaded data is shown in two identical lists. To perform a comparison, select a different item from
each list and click one of the "Compare" buttons:
- Word compare - This comparison tokenizes each item of data based on whitespace
delimiters, and identifies the token-level edits required to transform the
first item into the second. It is most useful when the interesting differences
between the compared items exist at the word level, for example in HTML
documents containing different content.
- Byte compare - This comparison identifies the byte-level edits
required to transform the first item into the second. It is most useful
when the interesting differences between the compared items exist at the
byte level, for example in HTTP requests containing subtly different values
in a particular parameter or cookie value.
Note: The byte-level comparison is considerably more computationally
intensive, and you should normally only employ this option when a word-level
comparison has failed to identify the relevant differences in an informative
When you initiate a comparison, a new window appears showing the results of
the comparison. The title bar of the window indicates the total number of
differences (i.e. edits) between the two items. The two main panels show the compared items colorized
to indicate each modification, deletion and addition required to transform the
first item into the second.
You can view each item in text or hex form. Selecting the "Sync views"
option will enable you to scroll the two panels simultaneously and so quickly identify
the interesting edits in most situations.
Thursday, September 8, 2016
This release introduces a new scan check for second-order SQL injection vulnerabilities. In situations where Burp observes stored user input being returned in a response, Burp Scanner now performs its usual logic for detecting SQL injection, with payloads supplied at the input submission point, and evidence for a vulnerability detected at the input retrieval point.
See all release notes ›