Tamper Chrome is an extension for Chrome that makes it possible to modify HTTP requests in order to pentest web applications.
To hack a web application you need to send all kinds of HTTP requests to it. There are several tools available to intercept and tamper with HTTP requests. Most of these tools, such as Burp and ZAP, are intercepting proxies. You configure the browser to connect to the intercepting proxy, and there you can view and modify requests. Tamper Chrome, in contrast, is implemented as a browser plugin and works from within the browser. This is another method of implementing functionality to tamper with HTTP requests, that has some interesting consequences.
Pentesting from the browser
Pentesting from within Chrome has its advantages. First, it is possible to run it in ChromeOS, so you can pentest from a Chromebook. Secondly, Tamper Chrome can be enabled per tab, so there is no need to have a separate browser for testing and normal browsing. There is also no need to configure proxy settings.
Using Tamper Chrome
After installation, Tamper Chrome adds a tab to the developer tools. In this tab, it offers several tools that can be enabled separately:
- Block / Reroute Requests
- Request Headers
- Response Headers
- Monitor PostMessages
- Monitor Reflected XSS
- Replay Requests (Experimental)
Several of these tools make it possible to intercept and tamper requests, but there are some tools that particularly make use of the close integration with the browser.
Monitor Reflected XSS
The tool to monitor for XSS shows something in the console every time a
<tcxss> tag or attribute is found. This makes it easy to test for XSS. Simply insert
The future of Tamper Chrome
Tamper Chrome is a little rough around the edges. It’s clearly some pentester’s own functional tool, and the developer has no aspirations to turn this into a general purpose pentesting product:
However, the concept of a pentesting tool in the browser shows much promise. Particularly detecting XSS DOM is something that can be done much easier in the browser than with an intercepting proxy. Intercepting message events sent by postMessage is not possible in an intercepting proxy at all, and this interface often goes untested. Pentesting from the browser offers easy installation and usage and good integration with the runtime environment of the webapp. I think there can be a successful Burp alternative in the browser. However, I don’t think Tamper Chrome will be it.