Wednesday 3 July 2013

$5000 to $50 - Tampering/Manipulating Data on Poorly Designed Website

While i was checking out tools to perform assessment on Web applications, i stumbled upon two addons that can be used to manipulate and change data via the http header. So decided to test it out and blog about it.


Let's try to purchase a laptop costing thousand of dollars on this site: 
http://www.bayden.com/sandbox/shop/


When you click Checkout, the price is $1095.00


-------------------------------------------------------------------------------------------------------

For Internet Explorer 

"TamperIE Web Security Tool is a small utility that enables HTML-form tampering for penetration testing of web applications. TamperIE is an Internet Explorer Browser Helper Object which allows tampering with HTTP requests from Internet Explorer 5 and above. TamperIE is a useful tool for security testing your web applications, in order to ensure you don't make foolish assumptions about the data sent by client browsers. Since the tool exposes and allows tampering with otherwise inconvenient input, many user-input security flaws immediately become apparent. SSL? TamperIE works inside IE itself, before data is placed on the wire; this means that it works fine even against SSL secured sites." - http://tamperie-web-security-tool.findmysoft.com/

Download the addon called TamperIE from:
http://www.softpedia.com/get/Tweak/Browser-Tweak/TamperIE-Web-Security-Tool.shtml
 

Open the Control Panel and click the first Option


Browse back to the website and click Check Out


TamperIE will pop up and show you the values and data it is going to send. Notice that the value here is 1065.00. Lets change that shall we?


In this example, we will choose 50.00. Then click on the 'Send altered data'


When you check out, the price will change to $50 instead of the original $1065.00!!


-------------------------------------------------------------------------------------------------

For Firefox

"About this Add-on: Use tamperdata to view and modify HTTP/HTTPS headers and post parameters. Trace and time http response/requests. Security test web applications by modifying POST parameters." - https://addons.mozilla.org/en-us/firefox/addon/tamper-data/


There is a tool called Tamper Data you can download from:
https://addons.mozilla.org/en-us/firefox/addon/tamper-data/eula/79565?src=dp-btn-primary


Once installed, go to Tools and click on Tamper Data


Click Start Tamper. This will monitor any incoming and outgoing request.


Now go back to the Shopping website and click Check out, a pop up will appear whether you want to Tamper the data or not. Click Tamper


Change the original value to 50.00 and click Ok


There you go... your laptop is now $50!!




Note: The site http://www.bayden.com/sandbox/shop/ is a site for testing, made available for those who wants to perform a POC (proof of concept) on this security issue.

No comments:

Post a Comment