TamperIE

TamperIE

TamperIE is an Internet Explorer Browser Helper Object which allows tampering with HTTP requests from Internet Explorer 5 and above.  If you haven't installed it yet, you can get it here.

WARNING: This tool makes it simple to do very bad things to poorly written code.  Malicious use of this tool against third-parties is a violation of federal, state, and local laws.  Be smart.

TamperIE is a useful tool for security testing your web applications, in order to ensure you don't make foolish assumptions about the data sent by client browsers.  Since the tool exposes and allows tampering with otherwise inconvenient input, many user-input security flaws immediately become apparent.

SSL? TamperIE works inside IE itself, before data is placed on the wire; this means that it works fine even against SSL secured sites. 

Need more power? You might find the Fiddler HTTP Debugging Proxy more powerful, as it supports an automated scripting engine.

Using TamperIE

For this example, you can follow along here:  http://www.bayden.com/sandbox/shop/

Visiting the sample URL above presents a simple web-based shopping cart.

       

Wow, what a great tablet!  But $1995 seems kinda pricey, doesn't it?  Hrm... What to do?

Click the TamperIE icon on the toolbar.

   

Ensure the topmost checkbox is checked, like so:

   

Close the dialog.

Now, in the page, click Order! and the TamperIE editing dialog is shown.

           

Control	Function
URL Editbox	This box contains the URL which is being requested from the server.  This field is editable.  So, for instance, you can change the
Send Altered Data	This button will send the edited HTTP request to the specified URL.
Send Original Data	This button will send the unedited HTTP request to the original URL.
Cookies	This tab presents a read-only view of the cookies which are being sent to the server. You can edit your cookies by editing the cookie file on disk or using a great browser plugin like CookieSpy.
Raw Headers	This tab presents a read/write view of the custom HTTP headers which are being sent to the server.  These are rarely used by web pages, but can be useful in some circumstances.  For instance, sometimes web sites will not check authorization if "secret" HTTP headers are present in the request.
Raw Post	This tab presents a read/write view of the HTTP POST body which is being sent to the server.  This is where TamperIE shines. Many web applications are coded very poorly, and implicitly trust data sent by the POST body.  Some corporations mistakenly think that if the HTTP Header "Referer" is correct, the POST data must have been generated securely.  Wrong.
PrettyPost	This tab presents a "pretty" read/write view of the HTTP POST body.  POSTs are generally URL encoded, and this editing grid allows easy tampering.  More on this in a moment.

Notice anything interesting about the POST data? 

         

Hrm... A coincidence?  Let's see...  Click on the PrettyPost tab.

       

The POST form data is neatly broken down into name/value pairs in the grid.  See the Price field?  Click it to set focus to it.

The Value dropdown box to the right of the Edit Field label contains a number of pre-built attack strings which are known to cause problems for many web-based applications.  These vulnerabilities include SQL injection, buffer overflow, cross-site scripting, etc.

           

Note: If you'd like to customize this list, simply create a file named hackstrings.txt in the folder which contains ietamper.dll.  This file should contain one attack string per line.

In this case, however, we're not trying to crash the server, we're trying to get a discount on a computer.  Change the 1995.00 value to 10.00

Click the Raw Post tab to see the change reflected in the raw post data:

       

Click the Send Altered Data button at the top-right of the dialog box.  The TamperIE dialog will close and the tampered request will be sent to the server.

       

Note:  SSL-encryption would have done nothing to foil this attack, since the data is being altered by the original submitter.  The vulnerability here is that the web site is blindly trusting a POST instead of performing a database lookup.  Amazingly, a huge number of shopping carts work this way, either for the actual product, or for the shipping cost.

TamperIE Control Panel

The TamperIE Control Panel allows you to control when you are prompted to tamper with requests.

Start the TamperIE Control Panel referenced in the IE toolbar.  (If the icon isn't visible, right-click the IE toolbar, and choose Customize).

       

The following dialog will appear:

       

Option	Function
Tamper with HTTP POSTs	Show the TamperIE dialog when a form is submitted with METHOD=POST
Tamper with HTTP GETs	Show the TamperIE dialog whenever a HTTP GET is performed.
Tamper with GET requests for the following files	Show the TamperIE dialog whenever a HTTP GET is performed and the resource address ends with the specified text. For instance, given the filter in the above screenshot, the following URL requests will match:      www.washingtonpost.com/article.html?q=12311      www.banker.com/payee.html?id=321312&amt=1231      www.bayden.com/register.asp?product=TamperIE      www.microsoft.com/passport/register.asp#FAQ etc... If this box contains a *, all GET requests will match the filter.
Only tamper with GETs with Query string parameters	Show the TamperIE dialog only when a HTTP GET is performed and there is query string data in the URL.  Query string data is found in the URL after the ? character.  For instance, in this Google hit, query data is shown in Red.http://www.google.com/search?hl=en&q=hacker

---

Please send questions and bug reports to the author.