views:

47

answers:

2

I'm not sure whether this question belongs on StackOverflow or SuperUser, but here goes nothing...

I'm trying to test out some basic security problems on my personal ASP.NET website to see exactly how the custom validators, etc. work when tampering with the data. I've been looking at the Firefox extension TamperData which seems to do the trick, but it doesn't feel very professional at all.

The issues I'm having with TamperData is that the textbox for the POST data is way too small to hold the ASP.NET view-state, so I have to copy that data into Emacs and then back again to be productive at all. I also don't like that there doesn't seem to be an option to only tamper with data which is from/to localhost.

Any ideas on better extensions for the task or better methods to test it?

A: 

I've also been unable to find anything decent for blackbox testing in Firefox (tried HackBar and Tamperdata), so now I just write my own convenience methods for blackbox testing and invoke them in IPython. I think this is the only proper way to do it actually since the grounds for attack are completely different from site to site and are constantly evolving; by the time someone writes a nice UI app for testing, it's already obsolete. If you really need a UI, maybe you should try Burp Suit, I've never tried it though.

Longpoke
+3  A: 

Have you tried Fiddler? http://www.fiddlertool.com/fiddler2/version.asp

Martin Smith
+1 for fiddler, which allows you to "replay" http requests without having to use an browser.
David Lively