Tamper Data For Firefox

[Marilu Mandez]

Thisfreeware Firefox add-on helps Web site administrators easily test page post and header data exchange. Tamper Data's Firefox-based sidebar is very easy to install and operate. The program's online Help explains the app well enough to teach inexperienced site builders.

Tamper Data acts as a stop sign between data exchanged from a Web site and your browser. Data is exchanged normally until the Start Tamper button is selected. For each subsequent request, the utility pops up a dialog to poll the user to tamper with the data, submit it as normal, or cancel the request. The Tamper Popup is a clearly displayed, editable list of standard values requested by the Web site. Users edit the data as they see fit and click to send it to the Web site. It's easy to add elements to the data with a handy context-click menu. An options menu gives users extensive control over the context menu items.

Use Tamper Data to view and modify HTTP/HTTPS headers and post parameters. Trace and time http response/requests. Security test Web applications by modifying POST parameters. FYI current version of Google Web Accelerator is incompatible with the tampering function of Tamper Data. Your browser will crash.

I am able to tamper post request parameter with Tamper Data in firefox i.e when i make post request and i get the popup in firefox to change POST request parameters but in caseof GET request, i get the popup but there is no way to change the request parameter.

So question is Can't we change the request parameter thru Tamper Data/Fiddler?(Yes i agreewe can change it from browser address bar but that will be applicable once first request has been firect but i want to tamper some data in the very first Get Request. So i want to change GET request paramater with Tamer Data/Fiddler.Is it possible?)

You can't do that using Tamper-Data. You could use a more advanced standalone-tool, like Web Scarab (Archived page by Wayback Machine / Source Code at SourceForge) which will let you intercept and edit all portions of your web-requests.

You can easily use Fiddler to tamper with any aspect of a request or response. You can do this using FiddlerScript or manually using breakpoints. To change traffic manually using breakpoints, watch this tutorial video: =8bo5kXMAcV0&list=PLvmaC-XMqeBbw72l2G7FG7CntDTErjbHc

Pop will get open for tamper data click on start tamper which starts capturing the ongoing request as we know that the username and password typed in the fields go through POST method. Now After that click on the Login button to send the data through the POST method.

Before clicking Go; again start tamper data to change the field values. After that, we can see the post values and now modify it to change the username of any person.

Using the firefox extension tamper data (for modifing http requests that firefox makes) how do I insert a null character into a post field? I can enter normal characters, but binary characters in it are not urlencoded and are shown as is, so how do I enter the null character into a field? If you know of a firefox extension like tamper data that I can do this or a way to do this using tamper data please post.

After we went through our logs we could not see how anyone was doing this however today we had another 1p transaction and then after a bit of searching on the net we found a tamper data hack plugin for firefox.

The only way to safeguard against this is to check the prices of orders as PayPal sends the BACK to you. If you receive an IPN or order from PayPal - calculate the correct price again and compare it with what PayPal sends back to you. If the numbers don't match, then you should flag the order for review.

Security through obscurity doesn't work.Every once in a while I like to prove this fact, by getting worldwide high scores on vulnerable leaderboards.The first time I did this was to Area Flat 3 (which was an awesome game when I was in elementary school, and is still pretty fun).Check the all-time top 100 scores for H4X0R (I know, not very original; I was 13, sue me).But that hack was child's play compared to this one.

Recently I noticed that a Facebook game called Fast Typer 2 was becoming popular with my Facebook friends.I played it a few times and got the third-best score of all my friends when I noticed that the global leaderboard had some unbelievable high scores.Like 9223372036854775807.I was struck by the fact that: a) they use at least signed 64-bit integers to hold people's scores; and b) the leaderboard is vulnerable.In fact, the top 27 scores were obvious hacks.So, I got to work.

The first step is to enable the Tamper Data Firefox extension.I usually run Chrome, but I keep Firefox around for extensions like this.After playing the game again, I'd logged all the necessary communications to submit a high score.The Flash game POSTs to a few servlets at -typer.mindjolt.com/servlet/, with the NextSubmitScore servlet looking particularly interesting.Examining the POST data from that request, I found that there's a "score=" parameter right there.So I played again, but tampered with that request.I changed the value of the "score=" parameter to something much higher, and the game told me I had a new personal best score -- but with my real score from the game, not the tampered one!Turns out that "score=" is a red herring.

Next, I had to decompile the SWF file itself, to figure out what was going on.I used swfdump from swftools, but it just dumps the AVM2 opcodes.There's no true SWF decompilers that work for ActionScript 3 on Linux, it seems.No matter, soon I had figured out that the game itself loads an internal API from another SWF file, "api_local_as3.swf".After reading through some of the functions I finally found the important one, "createSession".This function makes an associative array that holds your score, a "token" which is always 1, and "delta" and "deltaAbs", with unidentified purpose.This array is converted to a string, then RC4 encrypted, with an 8-byte key, which is -- well, I don't want to spoil the fun, but it starts with "537E".True enough, the NextSubmitScore requests have a "session=" parameter, with a giant hex value.Decrypted, it looks like this:

So the procedure to hack the game is this: play the game, tamper with the "NextSubmitScore" request, decrypt the "session=" parameter, change the score to a gigantic number, encrypt the new session string, replace the request parameter's value with your tampered one, and submit it.If you do it right, the game will greet you with "Congratulations! You've just set a record for all of Facebook!"

Hello,

I'm currently trying to modify a different game but also from MindJolt.

It seems Googling for "servlet/NextSubmitScore" I was able to find your page.

I'm also having trouble finding the RC4 key.

Do we dump the api_as2_local.swf? ie. swfdump -D api_as2_local.swf? \

Very cool.After getting the #1 legit high score for the week on that typing game, I was curious about the hacked ones.Of course, typing your name into Facebook or Google didn't reveal much, but interestingly enough the ajax requests on Facebook for the high scorers includes their UIDs as well.I'm decent at binary disassembly but don't know too much at swf decompiling.Good job though!

If you're good with binary stuff then you can always mess with the address space of the Flash game too; I think something like that is how most of the hacked scores happened.But you've only got a signed 32-bit integer to work with when you do it that way, so the 4 or so 64-bit scores must've been done this way.

The Mozilla Sniffer add-on overwrote some of the original Tamper Data files, and also added a new script named tamperPost.js. This injects a new search() function, which is called whenever a form is submitted by the browser. This function searches for any forms that have non-empty password fields and then uses two other functions to send the purloined data to the fraudster:

Readers of All Things Digital may recognise the photograph as being of deputy managing editor John Paczkowski, who has confirmed to Netcraft that he is not the owner of this Mozilla account and that someone else has used his photo.

Mozilla subsequently confirmed that they had not reviewed this add-on and are currently working on a new security model that will require all add-ons to be code-reviewed before becoming discoverable on addons.mozilla.org.

Many web applications that undergo security testing are not production ready and may have exposed vast amounts of data and resources to whoever has been harvesting the URLs and passwords stolen by this add-on. Johann-Peter Hartmann told Netcraft that this was the first time he had seen a Firefox add-on being misused as a backdoor, and questioned whether many people check add-ons before using them, particularly when they appear to come from an official source.

"Attempt To Tamper Data On This PC" is a fake error message delivered by a malicious website. Users often visit this website without their consent - they are redirected by potentially unwanted programs (PUPs). Research shows that PUPs often infiltrate systems without permission.

"Attempt To Tamper Data On This PC" states that all data stored on the computer is at risk and, therefore, users must immediately contact 'technical support' via the telephone number ("+1-844-612-7496") provided. Victims then supposedly receive help in resolving the issue. As mentioned, however, this error message is fake.

Cyber criminals attempt to generate revenue by scaring and tricking victims them into calling and paying for services that are not required. You can remove this error simply by closing the web browser. An identical pop-up is displayed by a malicious website that delivers another fake error called You Have A ZEUS Virus.

Be aware that potentially unwanted programs employ a "virtual layer" to generate banner, coupon, pop-up, and other similar advertisements. The virtual layer is a tool that enables placement of third party graphical content on any site. The displayed ads usually conceal underlying content of visited websites, significantly diminishing the Internet browsing experience.

3a8082e126