Most Perl programmers at some point in their career are
involved in a project that includes a bit of Web development. One of the Firefox plug-ins that I occasionally
find useful for the debugging and testing of Web applications is the Tamper Data
plug-in for Firefox. In particular, from
a debugging perspective it allows you to capture HTTP and HTTPS headers as well
as POST parameters, which can allow you to verify the requests that are being
sent to your Web application. On the
testing side, some basic security testing can be done as well, since it allows
you to modify captured HTTP/HTTPS headers and POST parameters prior to
transmission. While someone that is heavily involved in the security testing of
Web applications, would likely be better served by more robust intercepting
proxies (e.g. Burp Proxy, etc) it
is a nice plug-in to use to introduce people to some of the basic techniques
that can be used to test Web application security. An example of a captured Facebook login
request can be seen below.
Notice, how it shows the different POST parameters and their
values? Any one of these parameters in
the request could then be modified and submitted to the site. Once the “OK” button is clicked, the request
will be forwarded to the Web application, including whatever modifications that
you have made.
No comments:
Post a Comment