Exploring 'Tamper Data' and 'View Source Chart' Extensions

By balaji

June 16, 2006

In our last post on ‘<a
href="http://plynt.com/blog/2006/04/firefox-extensions-for-the-sec/">FF extensions’, we introduced you to a few useful ones that come in handy during application penetration testing. Here I wish to explore some of them. Let's look at ‘Tamper Data’ and ‘<a
href="http://jennifermadden.com/scripts/ViewRenderedSource.html">View Rendered Source
Chart’ extensions as they are my favourites.

The ‘tamper data’ extension is more like a web proxy editor. It allows us to manipulate the html requests and responses while just passing on the image requests and responses by default. The best part of this extension is the predefined set of context menu entries that makes tampering with parameters so much easier. These context menu entries include static elements such as SQL, XSS and others that can be used over any parameter and dynamic elements such as User-Agent that can be used only over a User-Agent parameter. In addition, we can add our own elements and assign desired labels for them. This dialog box shows an SQL element with a label for manipulating a numeric field.

Tamper Data.JPG

While these are some salient features, the extension lacks few features of a common web proxy editor such as logging and custom interception options. As an application tester, I would want to have a log of all the requests and responses executed during the testing of the application. Though there is an option to export the session to an XML file, you would need to create an XSL template to render the xml file as desired.

Let’s now take ‘View Rendered Source Chart’ extension. This one was recently renamed as ‘View Source Chart’. This extension displays the source code of the webpage in a completely structured manner enabling easier understanding of the various containers or tags used in the code. This considerably increases the efficiency of source code analysis. But it wasn’t
this feature that caught my attention.

When I first used this extension to read the source code of the home page of our Plynt website, I was amazed to see an email address displayed.

Source Chart.JPG

This was because we had obscured the email addresses on our site through javascripts to avoid harvesting by spambots. So the source code displayed only the obscure code while the browsers displayed the email addresses. But the beauty of this extension is that the source code is displayed in a rendered form rather than the original form. Hence, the extension displays the source code in the form that the browser interprets it and not the way it exists on the server. You can learn more about rendered source <a

So you may be wondering, the bot resistant code we created isn’t really bot resistant after all. But as we discussed in <a
href="http://palisade.plynt.com/issues/2006Mar/quiz/?show=ans">this quiz,
email harvesters are unlikely to begin interpreting javascript as they would get stuck in infinite loops or crash due to malformed javascripts.

Tags: Uncategorized