Intercepting Proxies?
People tend to overdo things… And somewhere (not sure were) I’ve read an article (or better call it tutorial) where for simple modifications of parameter/header values the author suggested an intercepting proxy like: WebScarab, BurpProxy, ParosProxy, ProxyStrike, etc. Yes they’re up to the job, but aren’t there some simpler solutions? Yes there are, and those solutions will be presented in the following lines…
And if you weren’t sure till know, I assure you I’m going to speak about Firefox Addons.
LiveHTTPHeaders
Useful addon for both developers and hackers. It let’s you analyze the HTTP requests and responses done at/from a specified point. It also allows you to modify the requests as you want, from parameters to HTTP headers, anything is possible.
For those that use intercepting proxies in passive mode, for grabbing links while browsing, which later will be passed to some web application scanner (or something like that), guess what: liveHTTPHeaders supports that also.
Download: liveHTTPHeaders
Tamper Data
On several occasions you may want to modify/forge requests in the first submission of a page/form. For that reason Tamper Data is another addon that shouldn’t miss from your toolbox. The functionality I mentioned is just the tip of the iceberg regarding Tamper Data.
Screenshots and download: Tamper Data
HackBar
But what if you don’t need to modify headers, just the content or parameters? Should use Tamper Data just for that?
The answer is obviously NO! Just press F9 (HackBar shortcut key) and you’re ready to tamper/forge requests as you wish. It’s a great addon not just because it eases work with long URLs, but also has the ability to send POST requests for you, thus relieving you from having another window/tab for executing forged POST requests. Did I also mentioned how helpful it can be when working with SQL Injections? No?! I wonder how could I omit that?…
Screenshots and download: HackBar
Final notes
In the end it’s up to you to decide how you’ll do from this point onward. Either work with the suggested plugins, or continue your ritual with intercepting proxies. There is no good/bad way of doing it, it’s just a matter of taste. Some people (including myself) like to do as much possible from the browser before firing up another application…
