Tuesday, June 19, 2007

Tamper Data: Firefox Add-On for Web-Application Security Testing

(Images have been used for html tags and scripts as tags are not permitted in some of blogspot fields and scripts may get executed in readers' browser)

Tamper Data is a very powerful, free add-on for Mozilla Firefox. Truly speaking, I never expected an 80 KB plugin to have so many functionalities.
You can tamper (As the name suggests) HTTP/HTTPS requests by traping browser responses, manipulating HTTP parameters like content-type and length (useful in HTTP Splitting), Cookies and POST data, you can add or delete elements/fields and last but not the least, you have a good number of in-built test cases which you can try during web-application security testing.

Lets have a quick look of the product and parallaly leran some hacking....;-)

Tablet Super Store is an Online PC Shop (http://www.bayden.com/sandbox/shop/), intentionally designed with a vulnerability so that wanna be penetration testers can test their metal.






We will also try to hack it, but in a while...

First, some home-work with Tamper Data (TD). If you have downloaded and installed the tool from Mozilla Firefox' addon site (https://addons.mozilla.org/en-US/firefox/addon/966) you will find it under Tools>Tamper Data.
Next, Select Start Tamper option from TD menu to trap every Web request/response. As you can see in the image below, the moment a request/response is generated it gets trapped in between your browser and the web-server. You get 3 options:
  1. Tamper (To manipulate)
  2. Submit (Accept the request/response AS-IS)
  3. Abort Request (stop the data flow before it reaches web-server)

Additionally, it asks Continue Tampering? (no need for explanation)




While shopping at the PC Mall, I selected the quantity of PCs I wanted to purchase and clicked ORDER and I got a pop-up with three options mentioned above. lets Tamper....
Wow..All HTTP request/response fields are available in an easy to understand format (I hope you also prefer tabuler view of HTTP data over raw view, and in case you dont understand raw view at the moment, forget it).

Here comes the best part of TD. As you can see in the image below, you get a good number of options to try on trapped data. Add/delete fields, play with encoding/decoding, try some Input Validation, Cross-Site Scripting or otherwise SQL Injection.


Lets see what do we have for Input validation....


A variety of data formats which you can try for Input validation, Client-Side Validation and sometime for Buffer overflow tests.
Next comes, XSS or Cross-Site scripting.

You have a good variety of scripting tests. You may start with Alert test which works well in most of the XSS vulnerable sites. (Hint: Try it in someone's guestbook or feedback form. In case the site is XSS vulnerable she will get a nice pop-up with hello message written over it.)
Next in the row is SQL (Mother of all Database hacks)


Try these tests for authentication, authrization testing i.e. to get the whole list of accounts when you are supposed to have access to only yours, or may be none :-)
Now back to online PC shop. So how many to buy......oh u can buy only upto 3 PCs in a shot :-(


Lets tamper...Hmmmmm so there lies the hidden cost field. How about 5 dollers per PC? and yes lets buy 30 PCs in one shot....

Bingo!!!!!!!! 30 PCs for 150$.....not bad for the first hands-on of Web-Applications penetration testing :-)


Similar to TD you have TamperIE for Internet Explorer. However, TamperIE is not as powerful as TD.

For the geeks.....their are more powerful tools, but everything comes at a cost. Either they are commercial tools (Appscan, webinspect, Acunetix) or else man-in-the-middle Proxies (Paros, WebScarab, both free) which require a lil better understanding of pen-testing concepts and proxy configuration.

For beginners..TD is worth a try....

1 comment:

Anonymous said...

Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing. view