In our last post on ‘<a
href="http://plynt.com/blog/2006/04/firefox-extensions-for-the-sec/">FF extensions’, we introduced you to a few useful ones that come in handy during application penetration testing. Here I wish to explore some of them. Let's look at ‘Tamper Data’ and ‘<a
href="http://jennifermadden.com/scripts/ViewRenderedSource.html">View Rendered Source
Chart’ extensions as they are my favourites.
The ‘tamper data’ extension is more like a web proxy editor. It allows us to manipulate the html requests and responses while just passing on the image requests and responses by default. The best part of this extension is the predefined set of context menu entries that makes tampering with parameters so much easier. These context menu entries include static elements such as SQL, XSS and others that can be used over any parameter and dynamic elements such as User-Agent that can be used only over a User-Agent parameter. In addition, we can add our own elements and assign desired labels for them. This dialog box shows an SQL element with a label for manipulating a numeric field.
While these are some salient features, the extension lacks few features of a common web proxy editor such as logging and custom interception options. As an application tester, I would want to have a log of all the requests and responses executed during the testing of the application. Though there is an option to export the session to an XML file, you would need to create an XSL template to render the xml file as desired.
Let’s now take ‘View Rendered Source Chart’ extension. This one was recently renamed as ‘View Source Chart’. This extension displays the source code of the webpage in a completely structured manner enabling easier understanding of the various containers or tags used in the code. This considerably increases the efficiency of source code analysis. But it wasn’t
this feature that caught my attention.
When I first used this extension to read the source code of the home page of our Plynt website, I was amazed to see an email address displayed.
So you may be wondering, the bot resistant code we created isn’t really bot resistant after all. But as we discussed in <a