TamperIE

TamperIE

TamperIE is an Internet Explorer Browser Helper Object which allows tampering with HTTP requests from Internet Explorer 5 and above.  If you haven't installed it yet, you can get ithere.

WARNING: This tool makes it simple to do very bad things to poorly written code.  Malicious use of this tool against third-parties is a violation of federal, state, and local laws.  Be smart.

TamperIE is a useful tool for security testing your web applications, in order to ensure you don't make foolish assumptions about the data sent by client browsers.  Since the tool exposes and allows tampering with otherwise inconvenient input, many user-input security flaws immediately become apparent.

SSL? TamperIE works inside IE itself, before data is placed on the wire; this means that it works fine even against SSL secured sites. 

Need more power? You might find the Fiddler HTTP Debugging Proxy more powerful, as it supports an automated scripting engine.

Using TamperIE

For this example, you can follow along here:  http://www.bayden.com/sandbox/shop/

Visiting the sample URL above presents a simple web-based shopping cart.

       

Wow, what a great tablet!  But $1995 seems kinda pricey, doesn't it?  Hrm... What to do?

Click the TamperIE icon on the toolbar.

   

Ensure the topmost checkbox is checked, like so:

   

Close the dialog.

Now, in the page, click Order! and the TamperIE editing dialog is shown.

           

ControlFunctionURL EditboxThis box contains the URL which is being requested from the server.  This field is editable.  So, for instance, you can change theSend Altered DataThis button will send the edited HTTP request to the specified URL.Send Original DataThis button will send the unedited HTTP request to the original URL.CookiesThis tab presents a read-only view of the cookies which are being sent to the server.

You can edit your cookies by editing the cookie file on disk or using a great browser plugin like CookieSpy.

Raw HeadersThis tab presents a read/write view of the custom HTTP headers which are being sent to the server.  These are rarely used by web pages, but can be useful in some circumstances.  For instance, sometimes web sites will not check authorization if "secret" HTTP headers are present in the request.Raw PostThis tab presents a read/write view of the HTTP POST body which is being sent to the server.  This is where TamperIE shines.

Many web applications are coded very poorly, and implicitly trust data sent by the POST body. Some corporations mistakenly think that if the HTTP Header "Referer" is correct, the POST data must have been generated securely.  Wrong.

PrettyPostThis tab presents a "pretty" read/write view of the HTTP POST body.  POSTs are generally URL encoded, and this editing grid allows easy tampering.  More on this in a moment.

Notice anything interesting about the POST data? 

         

Hrm... A coincidence?  Let's see...  Click on the PrettyPost tab.

       

The POST form data is neatly broken down into name/value pairs in the grid.  See thePrice field?  Click it to set focus to it.

The Value dropdown box to the right of the Edit Fieldlabel contains a number of pre-built attack strings which are known to cause problems for many web-based applications.  These vulnerabilities include SQL injection, buffer overflow, cross-site scripting, etc.

           

Note: If you'd like to customize this list, simply create a file namedhackstrings.txt in the folder which contains ietamper.dll.  This file should contain one attack string per line.

In this case, however, we're not trying to crash the server, we're trying to get a discount on a computer.  Change the1995.00 value to 10.00

Click the Raw Post tab to see the change reflected in the raw post data:

       

Click the Send Altered Data button at the top-right of the dialog box.  The TamperIE dialog will close and the tampered request will be sent to the server.

       

Note:  SSL-encryption would have done nothing to foil this attack, since the data is being altered by the original submitter.  The vulnerability here is that the web site is blindly trusting a POST instead of performing a database lookup.  Amazingly, a huge number of shopping carts work this way, either for the actual product, or for the shipping cost.

TamperIE Control Panel

The TamperIE Control Panel allows you to control when you are prompted to tamper with requests.

Start the TamperIE Control Panel referenced in the IE toolbar.  (If the icon isn't visible, right-click the IE toolbar, and chooseCustomize).

       

The following dialog will appear:

       

OptionFunctionTamper with HTTP POSTs Show the TamperIE dialog when a form is submitted with METHOD=POSTTamper with HTTP GETsShow the TamperIE dialog whenever a HTTP GET is performed.Tamper with GET requests for the following filesShow the TamperIE dialog whenever a HTTP GET is performed and the resource addressends with the specified text.

For instance, given the filter in the above screenshot, the following URL requests will match:
     www.washingtonpost.com/article.html?q=12311
     www.banker.com/payee.html?id=321312&amt=1231
     www.bayden.com/register.asp?product=TamperIE
     www.microsoft.com/passport/register.asp#FAQ
etc...

If this box contains a *,all GET requests will match the filter.

Only tamper with GETs with Query string parametersShow the TamperIE dialog only when a HTTP GET is performed and there is query string data in the URL.  Query string data is found in the URL after the ? character.  For instance, in this Google hit, query data is shown in Red.http://www.google.com/search?hl=en&q=hacker

---

Please send questions and bug reports to the author.