In my previous post on penetration testing I mentioned various tools that I use for web application testing. In this post and future posts, I will go into some of these tools and how I use them. This post will be over Tamper Data, which is probably the add-on I use most for penetration testing.
Tamper Data is used for monitoring and editing requests made to a server. When you start Tamper up and refresh a page or have a page that automatically refreshes or uses AJAX you will see the requests in the top portion of the window. When selected, the bottom will display both the request headers you sent as well as the response headers you received. These can be useful for determining information about the server, monitoring background processes on a site (such as AJAX requests), and seeing all the various files and locations that are loaded when you view the page. While this is useful for reconnaissance work and gaining initial information on the a target, this is not where Tamper’s strong suit lies. As the name suggests, Tamper Data is for … Tampering with data.
Despite the fact that Tamper is running and capturing headers for requests and responces, Tampering has not actually be started. By clicking “Start Tamper” we enable Tampering of Data. Now, when Tamper notices an outgoing request it will halt that request and ask for approval. You are then presented with three options to proceed, along with the option to discontinue Tampering. If you unselect the check box, Tamper will go back into passive mode and allow you to work, undisturbed, on the current request.
Submit: This simply sends the request as-is. Normally I use this if unsuspecting traffic gets caught up in Tamper’s web, such as gmail which makes AJAX requests.
Abort Request: This should be a fairly obvious option. It will stop the request from being sent. I generally use this when I am testing a potentially malicious site. In the case that a client asks me to review some code or I am analyzing a piece of Cross Site Scripting code I will use Tamper, to allow the request to be made, but to stop it before any of the data is actually transfered. I would recommend using this only after looking over the code. Some Cross Site Scripting code does not need for a request to be made to be dangerous and therefore Tamper is a poor defense.
As this is an introduction to the usage of Tamper, I won’t go into advanced usage of the tool nor will I go into exactly how I execute some exploits with it. I leave you to tamper with Tamper.