Τι είναι το Tamper Data;
Import: Web application developers often have the impression or the expectation that most users will follow the rules when they use an application without much considering that there are users who generally do not follow the rules, see hackers. What can happen if a user leaves the fancy interface of a web application and starts to do it over without the restrictions imposed by a browser?
Ο Firefox είναι ο browser που επιλέγουν οι περισσότεροι hackers αλλά και οι developers, εξαιτίας του ότι έχει ένα πολύ φιλικό σχεδιασμό για να δέχεται plug-ins. One of the most popular tools used by hackers in Firefox is an add-on called Tamper Data. Tamper Data is not a complex tool. It's just a proxy, or something that gets in between the hacker and the web application. But let's see what it does.
Tamper Data allows a hacker to uncover all functions of HTTP "magic" that happens in the background. So it can handle all GETs and POSTs without the restrictions imposed by the user interface (user interface) that shows the browser.
Hackers use Tamper Data because it allows them to interfere with the data received and sent between the client and the server. Using Tamper Data in a web application or websiteσελίδα running Firefox will show all the fields that allow the user to log in or in the case of a malicious user the gaps that allow a breach. The hacker can then give a field an "alternative value" and start sending data that the rules of the application or website do not allow to the server to see how it will react.
But let's see why this may be dangerous for some application:
Suppose a hacker wanders in an online market and has filled his shopping cart. The development of the web application shows the value of 5 which indicates the quantity of items in the shopping cart.
A hacker using Tamper Data could bypass the drop-down box restrictions that allow users to choose from a set of values such as “1,2,3,4, and 5. Using Tamper Data, the hacker would could enter a different value like "-1" or maybe "0,0000005".
If the developer of the application has not correctly coded the payment validation routine, then this value "-5" or "0,0000005" value could possibly confuse the application and specifically the type it uses to calculate the cost (price x quantity). This could cause some unexpected results. If the shopping cart is poorly coded, then the hacker may end up with an unintentional huge discount, a return on a product he had not even bought, or who knows what else.
The possibilities of misusing a web application with Tamper Data are endless. On the other hand, Tamper Data is a great tool for better safety, if used by application developers to see how applications respond to client-side attacks and how they manage data.
For more information about Tamper Data Add-on for Firefox visit the official page.
