Parameter Tampering with Tinker

Introduction

Hello everyone, I hope you are doing well. In this short tutorial, we’ll introduce you to a simple Python tool called “Tinker” that can be used for parameter tampering and help you understand how it works.

What is Tinker?

Tinker is a Python tool designed to generate multiple deviation payloads of the same input by using parameter tampering. In other words, Tinker helps you explore different variations of a string by toggling between lowercase and uppercase letters.

Install

git clone https://github.com/heydc7/Tinker.git
cd Tinker/
python3 main.py

Usage

>> python3 main.py
>> Enter your string: <INPUT>

You’ll be prompted to enter your string. For demonstration purposes, you can use “reset-password” as an example.

>> Output
reset-password
Reset-Password
reset-Password
Reset-password
RESET-PASSWORD
Reset-passworD
reSet-passwOrd
resEt-passwoRd
rEset-pasSword
reSet-paSSword
rEsEt-pAssword
rEsEt-pAsswOrd

How it works?

Let’s take a closer look at the code

def permute(ip, op):
 
    #  base case
    if len(ip) == 0:
        print(op, end="\n")
        return
 
    #  pick lower and uppercase
    ch = ip[0].lower()
    ch2 = ip[0].upper()
    ip = ip[1:]
    permute(ip, op+ch)
    permute(ip, op+ch2)

s = input("Enter your string: ")
permute(s, "")

The permute function takes two arguments, ip (input) and op (output). It recursively generates permutations of the input string by toggling the case of its characters.
The program takes user input as the initial string and then calls the permute function with an empty string as the initial output.

Where to get it?

Source code: https://github.com/heydc7/Tinker

Final Thoughts

The parameter tampering can be used in many scenarios such as Rate-Limit bypass, SQL Filter Bypass and XSS Filter Bypass, etc.

I hope you enjoyed my #BugBounty blog.

Feel free to connect with me on Twitter: @heydc7

Thank you!

Introduction#

What is Tinker?#

Install#

Usage#

How it works?#

Where to get it?#

Final Thoughts#