Tamper IE/Firefox

Tamper IE/Firefox

Top Previous Next

User can tamper with HTTP requests, view and modify GET query parameters, HTTP/HTTPS headers and POST

parameters from Internet Explorer 5+ and Firefox 3+ by using IE/Firefox tamper tool. Since the tool exposes and

allows tampering with inconvenient input, It can help user to detect user-input security flaws (e.g. XSS and SQL

injection vulnerabilities).

WARNING: This tool makes it simple to carry out malicious attacks against poorly-written code. Such willful use

of this tool against third-parties is a violation of federal, state, and local laws.

Important Request Builder features include:

·	Works with secure HTTPS connections.

·	Modifying HTTP request headers.

·	Modifying IE/Firefox Cookie.

·	Build or Modify Query Strings.

·	Build or Modify POST form-urlencoded data or other raw (e.g. xml) data.

Tamper IE/Firefox Control Panel
Click "Tools->Tamper IE/Firefox..." will show the following control panel and ready to tamper IE/Firefox Http Requests. The Control Panel allows you to control when you are prompted to tamper with requests.

tamper_control_panel

Control	Function
Start	Enable Tamper IE/Firefox Requests.
Stop	Disable Tamper IE/Firefox Requests.
Tamper with HTTP POSTs	Show the Tamper editor dialog when a form is submitted with METHOD=POST
Tamper with HTTP GETs	Show the Tamper editor dialog whenever a HTTP GET is performed.
Only tamper with GETs with Query string parameters	Show the Tamper editor dialog only when a HTTP GET is performed and there is query string data in the URL. Query string data is found in the URL after the ? character. For instance, in this Google hit, query data is shown in Red.http://www.google.com/search?hl=en&q=httpanalyzer
Tamper requests for the following URLs	Show the Tamper editor dialog whenever a HTTP GET is performed and the resource address contains with the specified text. For instance, given the filter in the above screenshot, the following URL requests will match: www.onlineby.com/checkout.html http://www.google.com/search?hl=en&q=httpanalyzer http://www.ieinspector.com/test/testpost.htm etc...
Disabled URL Filter	Disable/Enabled the URL filter function, all GET/Post requests will match the filter.

When the tamper control panel is shown and the "start" button is down, If the browser navigates an URL which matches with tamper filter, the Tamper IE/Firefox request editor of tamper dialog is shown.

tamper_editor

Control	Function
Send Altered Data	This button will send the edited HTTP request to the specified URL.
Send Original Data	This button will send the unedited HTTP request to the original URL.
Abort Request	This button will cancel the request and abort immediately.
URL Editbox	This box contains the URL which is being requested from the server. This field is editable.
Query Params	This button will show the "Query String Editor" dialog. It will presents a "pretty" read/write view of the URL Query part. The query part is URL Encoded. The dialog allows you add or modify the query string easily.
Raw Headers	This tab presents a read/write view of the custom HTTP headers which are being sent to the server.
Cookies	This tab presents a read/write view of the cookies which are being sent to the server.
Raw Post Data	This tab presents a read/write view of the HTTP POST body which is being sent to the server. This is where Tamper IE/Firefox shines. Many web applications are coded very poorly, and implicitly trust data sent by the POST body. Some corporations mistakenly think that if the HTTP Header "Referer" is correct, the POST data must have been generated securely. Wrong.
Edit Post Data	This button will show the "Post Data Editor" dialog. It will presents a "pretty" read/write view of the HTTP POST body. POSTs are generally URL encoded, and this editor dialog allows easy tampering.

When the method is "POST", you can click the "Edit post data..." to show the "POST Data Editor" dialog and modify the post data.

POST Data Editor Dialog
hv_postdataeditor

·	Multipart/form-data (upload files): Determines whether using multi part/form-data POST method to upload files via HTTP protocol.

·	Regenerate Unique Boundary: Determines whether regenerating unique boundary when posting multi part/form-data.

When confirming the changes by clicking the OK button, the headers "Content-Type" and "Content-Length" is auto recalculated and added to the request headers.

Query String Editor Dialog

The Query String Editor allows you to add or modify the query string.