In my previous post on penetration testing I mentioned various tools that I use for web application testing. In this post and future posts, I will go into some of these tools and how I use them. This post will be over Tamper Data, which is probably the add-on I use most for penetration testing.
Tamper Data is used for monitoring and editing requests made to a server. When you start Tamper up and refresh a page or have a page that automatically refreshes or uses AJAX you will see the requests in the top portion of the window. When selected, the bottom will display both the request headers you sent as well as the response headers you received. These can be useful for determining information about the server, monitoring background processes on a site (such as AJAX requests), and seeing all the various files and locations that are loaded when you view the page. While this is useful for reconnaissance work and gaining initial information on the a target, this is not where Tamper’s strong suit lies. As the name suggests, Tamper Data is for … Tampering with data.
Despite the fact that Tamper is running and capturing headers for requests and responces, Tampering has not actually be started. By clicking “Start Tamper” we enable Tampering of Data. Now, when Tamper notices an outgoing request it will halt that request and ask for approval. You are then presented with three options to proceed, along with the option to discontinue Tampering. If you unselect the check box, Tamper will go back into passive mode and allow you to work, undisturbed, on the current request.
Submit: This simply sends the request as-is. Normally I use this if unsuspecting traffic gets caught up in Tamper’s web, such as gmail which makes AJAX requests.
Abort Request: This should be a fairly obvious option. It will stop the request from being sent. I generally use this when I am testing a potentially malicious site. In the case that a client asks me to review some code or I am analyzing a piece of Cross Site Scripting code I will use Tamper, to allow the request to be made, but to stop it before any of the data is actually transfered. I would recommend using this only after looking over the code. Some Cross Site Scripting code does not need for a request to be made to be dangerous and therefore Tamper is a poor defense.
Tamper: Here is where the real meat and potatoes to Tamper lay. When you choose to tamper with the request you are brought to a new window. On the top of the window is the URL the request is being sent to. In the case of a POST, this saves us the effort of looking through the HTML (and potentially JavaScript) for where the request is to be sent. On the left-hand side of the window we have the Request headers and their values. We can actually modify the request headers on the spot. Instead of using JavaScript injection to modify cookie data, we can simply change it in the request header, we can modify our referrer to be anything we want, even spoof our User Agent. For referrers and User Agents I recommend other tools, but Tamper is the swiss army knife of my FireFox plug-in set of tools and I have used it over the others for such actions. Finally, we reach the right-hand side of the window. This is the POST data of the request. Here we can see what POST fields are sent and the values they are sent with. By right clicking we can add other elements and we can modify the values of current fields. Again, this saves us the effort of bypassing client side restrictions on what values may be sent or to submit an element not part of a select without using JavaScript. When finished tampering, simply select OK and watch you request be sent.
As this is an introduction to the usage of Tamper, I won’t go into advanced usage of the tool nor will I go into exactly how I execute some exploits with it. I leave you to tamper with Tamper.
4 Responses to Using Tamper Data