Hello folks!

Nice extension. Just want to drop by and say hi. I also developed a similar extension (mainly for myself) 2 years ago.

Instead of interface, it's more scripting based. It just make it very simple to play with the API's and develop your rules.

It's not on chrome store (for a reason). Just download it, and play with it. If you have any question, feel free to write me ([email protected]) :)

https://github.com/VarunAgw/TamperHeaders

When the app window is closed, if pending requests are still open, the window is reopened, if the user misses one pending request, the user will get stuck in an apparent endless loop (it's not endless, but since the user might find it hard to find the pending request, it sure looks like it).

after this change, when the user closes the app, if we decide to reopen it, we will assume the user wanted to disable all pending requests. the user can stop ignoring requests just by unselecting the ignore checkbox.

When I close it, it instantly opens again.
Also, after the "Replay Requests" function is enabled, the developer tools stops responding.

When i block a request, is there a way for me to modify the post body and then forward it to the intended server.

Hi, all updates are 2 years or more ago.
Do you've planned updates next time or for future?

Many users give the extension poor scoring in the webstore because they don't understand they need to install two extensions.

We should improve the text in the installation screen, and potentially even add translations so it is more clear what is going on.

See #20 for more details

https://bugs.chromium.org/p/chromium/issues/detail?id=747132

So it's cool that I can modify a post response from the server, but what about a get?

Allow automatically ignoring or automatically blocking requests based on:

• at least the url and headers, like chrome network tab,
• but ideally also on body content.

Otherwise many pages bombard you with requests you don't care about, sometimes faster than you can get rid of them.

I just want to replay the request, but it firstly intercept request and block it, and I have to release it manually. And some GET request is not editable.

This will allow us to modify POST data on XHR requests among other things (once ForeignFetch is implemented in Chrome).

I selected every ignore option except for "ignore subframe" and enabled "Block/Reroute Requests" but fonts and media requests are still captured.

I would also like to recommend three features:

1. Ignore All (checks all ignore options so you can only deselect the ones you want; makes things easier and faster)
2. Restrict to URL/Domain (only capture requests to a specified domain/URL; makes the app cleaner, faster, and easier and allows you to better isolate the request you're looking for; I'm aware of the filter in the app but it still captures requests from other URLs)
3. Ignore Media (video & audio)

Google Chrome is up to date: Version 67.0.3396.79 (Official Build) (64-bit)
Windows 10 Home: Version 1803

22/-- qq

• Add domain name (tamper.dev)
• GH Pages landing page
  • 3 illustration summary
  • video
    • welcome experience
      • filter + example request
  • FAQ
  • install now button (not possible)
• annotated screenshots
  • 5 features

maybe we can truncate it (with ...) or similar

As a security engineer I want an extension which automatically adds a Public-Key-Pins-Report-Only header to all sites and for me to provide it a custom report-uri so that I could get alerts when I am being MITM'd without being locked out to sites I care about (hence report only mode).

Can Tamperchrome help?

With the dark theme enabled, this tool is unreadable.

this seems to be blocked on a bug from chrome, we should file it first, and then finish implementing this

I want to change parameters of the Post request on the fly but it is locked. I'm going to change the Request body before submitting via Tamper Chrome.
It is a basic functionality that Tamper should support.

since https://bugs.chromium.org/p/chromium/issues/detail?id=129353 was fixed, we just need to add ws://*/* and wss://*/* to the permissions.

Note that this change might trigger a permission warning to existing users

Getting this error -

Could not load background page 'background/background.html'.
Could not load manifest.

Loaded unpacked through the crx directory

made all_urls optional which adds an optional permission every time the user opens tamper chrome
4f30f5a

this is annoying.. maybe add a setting to let the user give global access, if at all possible

to reproduce:

1. open tamper chrome from chrome://apps
2. close it
3. try to intercept any site
4. it wont work

this is because we fail to detect that it is closed.

i am using chromium, seems like this addon is incompatible?
after extracting the .zip and installing it, i have no "tamper" in the dev tools

After installing the extension and the app there's no Tamper tab in Dev Tools.

Cent Browser, Version 2.9.4.39 (Official Build) (32-bit) (portable) (Chromium 61.0.3163.100)

Hey, I was trying out Tamper Chrome, but I am not able to get it to work. It is always saying "Could not find Tamper Chrome Application

It would be very useful to have one button to copy all request details (URL+body+all headers and cookies) to replay it in console, modify or run it from your server. Recommended format: curl or HAR.

One of the usability issues with Tamper Chrome is that there are 4 options (Block/Reroute Requests, Request Headers, Response Headers, Replay Requests) that do very similar things.

We should simplify them so that they are less confusing to users.

Anyone has any ideas?

Is there any way to see the cookies being sent on Mac?

I think it's useful to replace the body of response when debugging a webapp, does tamper chrome support the function?

From @Fandekasp on May 19, 2017 8:29

After installing both the extension and the app, I'm still unable to use Tamper Chrome, the debugger console tab showing "Requires a second component" error:

Tried restarting the browser twice, didn't help.

Using Google Chrome Version 58.0.3029.110 (64-bit) from Arch Linux.

Copied from original issue: sirdarckcat/sirdarckcat.github.io#2

when a request body is very large, the request editor slows down the ui significantly.

we should delay rendering the component until the user selects the hex editor tab, and perhaps limit the number of inputs generated to the ones visible on the web view.

I would like to make a release with 1.3.2 with #3 and #4 hopefully this week.

Since this will be the first time I do the release with the OSS tooling, rather than the Google build system, I'll also document the process somewhere.

On Ubuntu 17.04:

1. Visit a site.
2. Ctrl-shift-C.
3. Tamper tab.
4. Check "Block / Reroute Requests".
5. Click a link.
6. Keep clicking "Allow" in the Tamper Chrome application window that pops up until the page is finished loading.
7. Close the Tamper Chrome application window.
8. Click another link.

At this point the browser says it's waiting for the Tamper Chrome application and just hangs there. The Tamper Chrome application window doesn't pop open again, and I can't find any way to reopen it. The only recourse at this point appears to be to completely exit from Chrome, including background Chrome processes, and restart it.

The documentation in README.md says that <tc-xss> works as a javascript variable, and that one can also use <tcxss> and <tamperchrome>. However that's not true..

tc-xss does not work as a JS variable, and tamperchrome isn't one of the identifiers in the code.

We should anyway improve the documentation on what this feature is used for, because it's current explanation is not very clear.

this might be confusing to users as well, so we need to find a good way to make this feel "nice"

it hanged like this and wouldn't fuckin turn off even if i disabled the extension

i had to remove the app !

it's not very easy to notice which requests are selected, we should color it differently

ui

• inspector-service

unit

• hex-editor
• request-filter
• app

e2e

• a11y
• rembrandt-type snapshots
• filter autocomplete
• filter works
• req modifications work
• res modifications work

background

unit

• interception
• debuggee
• request

e2e

• header modification
• url changes
• req/res body changes

steps to repro:

1. get a list of requests
2. add a filter
3. select a few requests
4. remove the filter
5. select a few requests / click up/down

up/down doesn't seem aware of the existence of the unfiltered requests

Per https://developer.chrome.com/extensions/webRequest#life_cycle

In theory, we could instead do:

1. onBeforeRequest redirect request to WEB_SERVER
2. have WEB_SERVER respond with 401 authentication required
3. onAuthRequired will be called with a callback
4. show the user the HTTP Request Headers and URL in the request, with a chance to edit them
5. let response go through
6. have WEB_SERVER respond with a 307 redirect to the user's choice
7. intercept onBeforeSendHeaders and make request header modifications per user request

see #18 for some similar ideas

This Chrome extensions is great and should be a core function of Google Chrome, but one key feature is missing.

Currently you can intercept all kinds of requests and modify their headers, before they are send out, but there ist no option to see and modify the body of these requests.

Please add this feature as it would be very helpfull to test all kinds weird edge cases, without using external software like charlesproxy etc.

Same as issue #7
When i block a request, is there a way for me to modify the post body and then forward it to the intended server.

The textarea won't let you edit the post body

It doesn't display forms headers of requests if a request is made from form element. This is very sad.