Tamper Data: The Firefox Add-On

A computer hacker
Patrick Strattner/Brand X Pictures/Getty Images

Although a current version exists, Tamper Data does not work in the way described here with the latest versions of Firefox, which has replaced plugins with extensions. This information is intended for users who are running legacy versions of Firefox or who are interested in how Tamper Data worked at one time.

Untl recently, Firefox was the browser of choice for most hackers because of its plug-in friendly design. One of the more popular hacker tools for older versions of Firefox was an add-on called Tamper Data. Tamper Data isn't super-complicated; it's merely a proxy that inserts itself between a user and a website or web application.

Tamper Data allowed a hacker to peel back the curtain to view and mess with all of the HTTP "magic" taking place behind the scenes. It could manipulate GETs and POSTs without the constraints imposed by the browser's user interface—a capability that newer iterations of Firefox have since blocked.

Why Tamper Data Was So Popular Among Hackers

Tamper Data allowed a person to tamper with data moving back and forth between the client and the server. When Tamper Data was started and a web app or website was launched in Firefox, Tamper Data showed all the fields that allowed user input or manipulation. A hacker could then change a field to an "alternate value" and send the data to the server to see how it reacted.

Why This Might Be Hazardous to an Application

Say a hacker was visiting an online shopping site and added an item to a shopping cart. The web application developer who built the shopping cart may have coded the cart to accept a value from the user such as Quantity = "1" and restricted the user interface element to a drop-down box containing predetermined selections for the quantity. Hackers often used Tamper Data to bypass the restrictions of the drop-down box, which allowed a user to select values such as 1, 2, 3, 4, and 5. Using Tamper Data, the hacker could try to enter a different value of, say, -1 or perhaps .000001.

If the developer hadn't properly coded the input validation routine, then this -1 or .000001 value could have ended up being be passed to the formula used to calculate the cost of the item (e.g., price times quantity). This caused unexpected results, depending on how much error checking was going on and how much trust the developer had in the data coming from the client side. If the shopping cart was poorly coded, the hacker might have wound up with a huge discount, a refund on an unpurchased product, a store credit, or similar. The possibilities of misuse here were endless, and Tamper Data caused developers a great deal of concern in its day.

On the flip side, Tamper Data was an excellent tool for security-conscious application developers to see how their applications respond to client-side data manipulation attacks. Developers often create use cases to test likely implementations of functionality. Before the latest versions of Firefox moved toward extensions and away from plug-ins, Savvy developers made Tamper Data part of their security testing arsenals to ensure proper client-side input validation and verification.