Professional Documents
Culture Documents
HOME
CATEGORIES
IT CERTIFICATIONS
CONTRIBUTORS
CONTACT US
STUDENT PAPERS
Search
Firefox is a popular web browser from Mozilla. Popularity of Firefox is not only because its a good web browser, it also supports add-ons to enhance the functionality. Mozilla has a website add-on section that has thousands of useful add-ons in different categories. Some of these add-ons are useful for penetration testers and security analysts. These penetration testing add-ons helps in performing different kinds of attacks, and modify request headers direct from the browser. This way, it reduces the use of a separate tool for most of the penetration testing related tasks. In this brief post, we are listing a few popular and interesting Firefox add-ons that are useful for penetration testers. These add-ons vary from information gathering tools to attacking tools. Use what you think helpful. All these add-ons are available for free and you can download from the Mozilla add-on website. There are some premium add-ons like Dominator pro which is also available for purchase from official websites. See the list of free add-ons below.
Want to l earn m ore?? The InfoSec Institute Reverse Engineering course teaches you everything from reverse engineering malware to discovering vulnerabilities in binaries. These skills are required in order to properly secure an organization from today's ever evolving threats. In this 5 day hands-on course, y ou wil l gain the necessary binary anal y sis skil l s to discov er the true nature of any Windows binary . You will learn how to recognize the high level language constructs (such as branching statements, looping functions and network socket code) critical to performing a thorough and professional reverse engineering analysis of a binary. Some features of this course include: CREA Certification 5 days of Intensive Hands-On Labs Hostile Code & Malware analysis, including: Worms, Viruses, Trojans, Rootkits and Bots Binary obfuscation schemes, used by: Hackers, Trojan writers and copy protection algorithms Learn the methodologies, tools, and manual reversing techniques used real world situations in our reversing lab.
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
1/6
9/9/13
US/firefox/addon/live-http-headers/
6. Tam pe r D ata Tamper Data is similar to the Live HTTP Header add-on but, has header editing capabilities. With the tamper data add-on, you can view and modify HTTP/HTTPS headers and post parameters. Thus it helps in security testing web application by modifying POST parameters. It can be used in performing XSS and SQL Injection attacks by modifying header data.Add the Tamper data add-on to Firefox browser with this link: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ 7. Hackbar Hackbar is a simple penetration tool for Firefox. It helps in testing simple SQL injection and XSS holes. You cannot execute standard exploits but you can easily use it to test whether vulnerability exists or not. You can also manually submit form data with GET or POST requests. It also has encryption and encoding tools. Most of the times, this tool helps in testing XSS vulnerability with encoded XSS payloads. It also supports keyboard shortcuts to perform various tasks.I am sure, most of the persons in the security field already know about this tool. This tool is mostly used in finding POST XSS vulnerabilities because it can send POST data manually to any page you like. With the ability of manually sending POST form data, you can easily bypass client side validations of the page. If your payload is being encoded at client side, you can use an encoding tool to encode your payload and then perform the attack. If the application is vulnerable to the XSS, I am sure you will find the vulnerability with the help of the Hackbar add-on on Firefox browser.Add Hackbar add-on to Firefox browser with this link: https://addons.mozilla.org/enUS/firefox/addon/hackbar/ 8. We bse curify Websecurify is a nice penetration testing tool that is also available as add-on for Firefox. We have already covered WebSecurify in detail in previous article. WebSecurify can detect most common vulnerabilities in web applications. This tool can easily detect XSS, SQL injection and other web application vulnerability. Unlike other listed tools, it is a complete penetration testing tool in itself available as a browser add-on. It gives most of the features available in standalone tool.Add WebSecurify to Firefox browser with this link: https://addons.mozilla.org/en-us/firefox/addon/websecurify/ 9. Add N Edit Cookie s Add N Edit Cookies is a cookie editing add-on that allows you to add and edit cookies data in your browser. With this tool, you can easily add session data manually in cookies. This tool is performed in session hijacking attack when you have the active cookies of the user. Edit your cookies to add the data and hijack the account.To download Add N Edit Cookies to Your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/add-n-edit-cookies-13793/ 10. XSS Me Cross Site Scripting is the most found web application vulnerability. For detecting XSS vulnerabilities in web applications, this add-on can be a useful tool. XSS-Me is used to find reflected XSS vulnerabilities from a browser. It scans all forms of the page, and then performs an attack on the selected pages with pre-defined XSS payloads. After the scan is complete, it lists all the pages that renders a payload on the page, and may be vulnerable to XSS attack. Now, you can manually test the web page to find whether the vulnerability exists or not.Add XSS Me to your Firefox browser: https://addons.mozilla.org/en-us/firefox/addon/xss-me/ 11. SQL Inje ct Me SQL Inject Me is another nice Firefox add-on used to find SQL injection vulnerabilities in web applications. This tool does not exploit the vulnerability but display that it exists. SQL injection is one of the most harmful web application vulnerabilities, it can allow attackers to view, modify, edit, add or delete records in a database.The tool sends escape strings through form fields, and tries to search database error messages. If it finds a database error message, it marks the page as vulnerable. QA testers can use this tool for SQL injection testing.Add SQL Inject Me add-on to your browser: https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me/ 12. FlagFox FlagFox is another interesting add-on. Once installed in the browser, it displays the countrys flag to tell the location of the web server. It also comes with other tools like whois, WOT scorecard and ping.Add FlagFox in your browser: https://addons.mozilla.org/en-us/firefox/addon/flagfox/ 13. CryptoFox CryptoFox is an encryption or decryption tool for Mozilla Firefox. It supports most of the available encryption algorithm. So, you can easily encrypt or decrypt data with supported encryption algorithm. This add-on comes with dictionary attack support, to crack MD5 cracking passwords. Although, it hasnt have good reviews, it works satisfactorily.Add CryptoFox add-on to your browser: https://addons.mozilla.org/en-US/firefox/addon/cryptofox/ 14. Acce ss Me Access Me, is another add-on for security testing professionals. This add-on is developed by the company that works on XSS Me and SQL Inject Me. Access Me is the can Exploit-Me tool used for testing access vulnerabilities in web applications. This tool works by sending several versions of page requests. A request using the HTTP HEAD verb and a request using a made up SECCOM verb will be sent. A combination of session and HEAD/SECCOM will also be sent.Add Acce ss Me to Firefox from this link:
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
2/6
9/9/13
These are few add-ons that you can use while web application penetration testing. Although, you cannot finish complete penetration testing work with these tools, but these browser tools are useful for most of the tasks and reduce the use of separate tools. Hackbar, SQL Inject Me, XSS Me and WebSecurify are the browser tools that are widely used for finding vulnerabilities in web applications. Other tools are used for specific work which helps in getting information while penetration testing.
Want to learn more?? The InfoSec Institute Reverse Engineering course teaches you everything from reverse engineering malware to discovering vulnerabilities in binaries. These skills are required in order to properly secure an organization from today's ever evolving threats. In this 5 day hands-on course, you will gain the necessary binary analysis skills to discover the true nature of any Windows binary. You will learn how to recognize the high level language constructs (such as branching statements, looping functions and network socket code) critical to performing a thorough and professional reverse engineering analysis of a binary. Some features of this course include: CREA Certification 5 days of Intensive Hands-On Labs Hostile Code & Malware analysis, including: Worms, Viruses, Trojans, Rootkits and Bots Binary obfuscation schemes, used by: Hackers, Trojan writers and copy protection algorithms Learn the methodologies, tools, and manual reversing techniques used real world situations in our reversing lab.
Conclusion
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/ 3/6
9/9/13
Firefox is not only a nice browser, but also a friend of penetration testers and security researchers. With the given Add-ons, you can enhance the functionality of Firefox in the way that is useful for the penetration testing process. Some of these tools help in gathering information about a website and its servers. A few other tools help in intercepting and modifying header information, to perform attacks via headers. In case you are trying to perform session hijacking, you can use an add-on to edit the cookies with the cookie data stolen from a users browser. SQL Inject ME, XSS Me and Websecurify are semi-automated tools to scan the page, and find the vulnerabilities that may be on the website. These 3 tools are dedicated security tools with a good success rate. We have covered WebSecurify in earlier posts. You can read more about the tool to know how it actually works. Hackbar is the best tool when you want to test a form against Post XSS. Hackbar helps you to manually submit a form to send POST data. If the app has client side validation in form, and has few limits in length and input, you can use Hackbar to submit form data manually and see the effect. It also has encoding tools to encode your XSS payloads, without using any separate tool. Most of the people involved in the security testing field use this tool. Few tools are just search add-ons that can help you to search exploits and advisories from popular databases. You can use these add-ons to find the appropriate exploit to perform an attack on the web application, to check whether the app is affected with this known exploit or not. I am sure you will like few of these add-ons and will use them in your security testing process. I personally use Hackbar, SQL Inject Me, XSS me, WebSecurify, Add N Edit Cookies, Live HTTP Headers, Tamper data, FoxyProxy standard and Firebug. Which add-on you would like to use? Share your views via comments.
Related Posts
3 Comments
Y ashwant July 9, 2013 at 1:09 pm - Reply
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
4/6
9/9/13
I have a list of my favorite at http://www.amanhardikar.com/mindmaps/BrowserPlugins.html owasp mantra, hconstf and sandcat are prepakaged browsers that you can also use.
I must say that you must consider this list as well http://www.thegeekyglobe.com/28-best-firefox-add-ons.html
Leave A Response
Name (required) Comment
Email (required)
Website
Post Comment
ARCHIVE
September 2013 (8) August 2013 (43) July 2013 (44) June 2013 (38) May 2013 (42) April 2013 (56) March 2013 (68) February 2013 (65) January 2013 (65) December 2012 (51) November 2012 (45) October 2012 (59) September 2012 (56) August 2012 (35) July 2012 (21) June 2012 (31) May 2012 (11) April 2012 (16) March 2012 (12) February 2012 (24) January 2012 (22) December 2011 (15) November 2011 (12)
RECENT POSTS
The Hunt for Memory Malware GDS Burp API Part I Security and Hacking apps for Android devices Using Hashes in Computer Security Penetration Testing of an FTP Service Python for Web application security professionals IOS Application Security Part 15 Static Analysis of IOS Applications using iNalyzer PsyOps and Socialbots Keygenning: Part I Penetration Testing for iPhone Applications Part 6 WEAPON OF ANONYMOUS Doxing: The Dark Side of Reconnaissance
CATEGORIES
Application Security (134) Exploit Development (48) Forensics (61) General Security (182) Hacking (304) Interviews (33) IT Certifications (65) CCNA (2) CEH (5) CISA (16) CISM (10) CISSP (33) MCITP (2) Malware Analysis (2) Management, Compliance, & Auditing (48) Meta (2) Other (79) Reverse Engineering (116) SCADA (5) Virtualization Security (6) Wireless Security (10)
POPULAR
COMMENTS
TAGS
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
9/9/13
October 2011 (12) September 2011 (1) August 2011 (2) July 2011 (7) June 2011 (22) May 2011 (30) April 2011 (33) March 2011 (24) February 2011 (7) January 2011 (2) December 2010 (3) November 2010 (7) October 2010 (1) September 2010 (1) August 2010 (4) July 2010 (2)
Back to Top
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
6/6