This is where TamperIE may come in handy. TamperIE is a browser Helper object(IE) that runs strictly on Microsoft's Internet Explorer and provides a way to test the security of web services. Bayden Systems, the creator of Tamper IE, claims that the software provides "lightweight tampering of http requests" throughout the Internet Explorer genre, starting with IE5. TamperIE is so obtrusive Bayden System's has a big red warning on their website that states "This tool makes it simple to do very bad things to poorly-written code. Malicious use of this tool against third-parties is a violation of federal, state, and local laws. Be smart."
In Depth, TamperIE allows a user to ensure that data sent by the client browser is not overlooked, which means a user employing this tool can change otherwise obscure data before it is sent back to the the server. In this example http://www.bayden.com/TamperIE/Tutorial.mht, TamperIE shows a major security flaw by allowing a user to change the price of a Tablet PC from $1995.00 to only $10.00!!!.
Keep in mind that TamperIE is effective even if a company uses SSL, this is because the data is manipulated before it is placed on the wire.
I must place my own warning in this post by saying that my intention is not to show anyone how to manipulate data before it is sent back to the server. My intention is to open the eyes of coders to the security aspect of coding ,and to provide them with information to help make their applications more secure.
This is an interesting tool! I've never heard of it before, but it does sound like it could be rather dangerous! The only thing I'm confused about is that the Website makes it look like it only tampers with GET and POST statements. If this is the case, then it doesn't really do all that much unless the code is VERY poorly written. It's common practice to not POST anything that is private or sensitive information, so as long as this common rule is followed, this tamperIE tool wouldn't be able to touch these values. You never want to pass a price or a credit card number through urls...Maybe I'm missing some of the power of this tool, but from what I read and from the looks of the screenshots, it doesn't seem like it'd do a whole lot...Am I wrong?
ReplyDeleteThe power of it, is that it is so simple. This is not a one shoe fits all sizes kind of software, it is a utility to add to your toolbox.
ReplyDeleteCode manipulation, sql injection and other tricks are a threat. You have to be aware that they exist and how to test and improve your code to reduce the risk. This tool seems like a good way to test you written code.
ReplyDeleteThanks Joshua for introducing this utility
Great reminder on security Josh. I just completed HIPAA training which is all about working with identifiable Health data and how it should be handled. As the internet progresses and web services are utilized more it will be critical to check these kinds of flaw when working with sensitive data. Great post!
ReplyDelete