Hacker News new | past | comments | ask | show | jobs | submit login
Tamper Chrome extension to modify requests in flight (chrome.google.com)
79 points by alpb on April 25, 2017 | hide | past | favorite | 24 comments

I've used this before to modify the leaderboard scores of small web games[0]

I was amazed at how simple it was to use. Pretty full-featured, as well.

[0]: http://kevinwang.us/cheating-a-guide-to-achieving-high-score...

Your blog post is very interesting, replicated it in a game against some of my friends too. Very easy.

If you believe 2 years of CS are required to achieve this.. Anybody with a brain can exploit this classic, basic flaw, without any CS studies but just some curiosity. Sorry to put it blundly like this though.

Does it require a CS degree to tell the author was joking, or can anyone with a brain do that, too?

Eh hm... are you sure you replied to the correct comment?

Probably yes. Sending scores in HTTP requests is such a low-hanging fruit for exploitation.

A friend of mine was responsible for scoring system on games. As they had some real awards (like bikes, tickets etc.) they captured the entire flow of the game with various statistics and later analyzed them for weird variations. That was in Flash and people used browser plugins to slow down the play, that was easy to spot. Of course it won't stop 100% of attacks, but it raises a bar sufficiently to thwart most attempts.



There is also the trusty Charles app (https://www.charlesproxy.com/)

Charles proxy, Paros, Burp and Fiddler are all great tools to intercept and modify traffic.

Great for debugging or just inspecting/reversing/hacking in general.

Im glad if similar tools are being made available as browser extensions, it might lower the barrier to entry and get more people poking at the network layer.

PS: https://github.com/square/PonyDebugger is a cool debugger that lets you use Chrome developer tools when developing iOS apps.

PS2: https://paw.cloud/ and some other tools take these proxies to a whole new level in terms of UI/polish.

https://mitmproxy.org/ is pretty nice too.

Tamper is built on MITM -- I built some internal tools using Tamper a few years back - Great proxy service.

Also reminds you that you should be CAREFUL with what extensions you install. As they can pretty much do whatever they want ;)

Good point. I tend to disable all for Incognito mode, then use that mode for things like online banking. Are there better approaches, like dedicating a separate browser for super sensitive stuff with absolutely nothing installed?

Chrome supports multiple profiles and you have different extensions for them. So you create for example one special profile for web development.

A separate, portable browser install would be wise. Even better if it's a bootable image of a trustworthy OS.

A bootable Linux distro that can be run from a USB key, like Puppy Linux.

Can it be extended so I could copy entire request in one click in some format (XAR is best)

Can't dev tools already do this? Right click request and copy as CURL, etc.

Yes, but you cannot cancel the request. If you go offline mode it lacks cookies. That's why I need an extension that blocks request first.

the tamper window seems to not open half the time leaving after specifying to tamper request headers, leaving chrome waiting for the extension with no way to resume the request

This functionality is built in to Firefox would be nice if it was the case in Chrome.

How much functionality should browsers have built in? Seems like extra bloat for the 99.9% of users who'd never even need this, but the same could be said for most of the dev tools I guess.

What do you mean? TamperData exists for Firefox but it is also an addon[1].

[1]: https://addons.mozilla.org/en-us/firefox/addon/tamper-data/

Where is it in firefox? I think firefox only lets you edit and resend requests that have already been sent.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact