18 Extensions for Turning Firefox Into a Penetration Testing Tool
-
Upload
uma-shanker -
Category
Documents
-
view
95 -
download
1
description
Transcript of 18 Extensions for Turning Firefox Into a Penetration Testing Tool
9/9/13 18 Extensions For Turning Firefox Into a Penetration Testing Tool
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/ 1/6
InfoSec InstituteInfoSec ResourcesIntense School
Reverse Engineering
18 Extensions For Turning Firefox Into a Penetration
Testing Tool
3
Pavitra Shankdhar July 09, 2013
Firefox is a popular web browser from Mozilla. Popularity of Firefox is not only because it’s a good web
browser, it also supports add-ons to enhance the functionality. Mozilla has a website add-on section that has
thousands of useful add-ons in different categories. Some of these add-ons are useful for penetration testers
and security analysts. These penetration testing add-ons helps in performing different kinds of attacks, and
modify request headers direct from the browser. This way, it reduces the use of a separate tool for most of the
penetration testing related tasks.
In this brief post, we are listing a few popular and interesting Firefox add-ons that are useful for penetration
testers. These add-ons vary from information gathering tools to attacking tools. Use what you think helpful. All
these add-ons are available for free and you can download from the Mozilla add-on website. There are some
premium add-ons like Dominator pro which is also available for purchase from official websites. See the list of
free add-ons below.
Firefox Add-ons for Security Researchers and Penetration Testers
1. FoxyProxy Standard
FoxyProxy is an advanced proxy management add-on for Firefox browser. It improves the built-in proxy
capabilities of Firefox. There are few other similar kind of proxy management add-ons available, but it
offers more features that other add-ons. Based on the URL patterns, it switches internet connection
across one or more proxy servers. When proxy is in use, it also displays an animated icon. In case you
want to see the proxies used by the tool, you can see the logs.
Add FoxyProxy to you browser from this link: https://addons.mozilla.org/en-
US/firefox/addon/foxyproxy-standard/
2. Firebug
Firebug is a nice add-on that integrates a web development tool inside the browser. With this tool, you
can edit and debug HTML, CSS and JavaScript live in any webpage to see the effect of changes. It helps
in analyzing JS files to find XSS vulnerabilities. It’s an really helpful add-on in finding DOM based XSS for
security testing professionals.Add Firebug in your Browser from this link: https://addons.mozilla.org/en-
US/firefox/addon/firebug/
3. Web Developer
Web Developer is another nice add-on that adds various web development tools in the browser. It helps
in web application penetration testing.Add Web Developer in your browser from this link:
https://addons.mozilla.org/de/firefox/addon/web-developer/
4. User Agent Switcher
User Agent Switcher add-on; adds a one click user agent switch to the browser. It adds a menu and tool
bar button in the browser. Whenever you want to switch the user agent, use the browser button. User
Agent add on helps in spoofing the browser while performing some attacks.
Add User Agent Switcher to your browser from this link: https://addons.mozilla.org/en-
US/firefox/addon/user-agent-switcher/
5. Live HTTP Headers
Live HTTP Headers is a really helpful penetration testing add-on for Firefox. It displays live headers of
each http request and response. You can also save header information by clicking on the button in the
lower left corner. I don’t think that there is any kind of need to tell how important this add-on is for the
security testing process.Add Live HTTP Headers to Firefox with this link: https://addons.mozilla.org/en-
SearchHOME CATEGORIES IT CERTIFICATIONS CONTRIBUTORS CONTACT US STUDENT PAPERSOTHER ARTICLES BY PAVITRA SHANKDHAR
Security and Hacking apps for Android devices
19 Extensions to Turn Google Chrome into PenetrationTesting tool
Using X5S with Fiddler to find XSS Vulnerabilities
Websecurify Walkthrough, Web Application PenetrationTesting Tool
LIKE US ON FACEBOOK == STAY UP TO DATE
InfoSec Institute
Like 5,990
AWARD WINNING TRAINING FROM INFOSEC
Be the first to hear of new free tutorials, training videos,product demos, and more. We'll deliver the best of our freeresources to you each month, sign up here:
Yes, Send My Free Training & Tutorials
Want to learn more?? The InfoSec Institute ReverseEngineering course teaches you everything from reverseengineering malware to discovering vulnerabilities inbinaries. These skills are required in order to properly securean organization from today's ever evolving threats. In this5 day hands-on course, you wil l gain the necessarybinary analysis skil l s to discover the true nature ofany Windows binary . You will learn how to recognize thehigh level language constructs (such as branchingstatements, looping functions and network socket code)critical to performing a thorough and professional reverseengineering analysis of a binary. Some features of thiscourse include:
CREA Certif ication
5 days of Intensive Hands-On Labs
Hostile Code & Malware analysis, including: Worms,Viruses, Trojans, Rootkits and Bots
Binary obfuscation schemes, used by: Hackers, Trojanwriters and copy protection algorithms
Learn the methodologies, tools, and manual reversingtechniques used real world situations in our reversinglab.
VIEW RCE COURSE
9/9/13 18 Extensions For Turning Firefox Into a Penetration Testing Tool
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/ 2/6
US/firefox/addon/live-http-headers/
6. Tamper Data
Tamper Data is similar to the Live HTTP Header add-on but, has header editing capabilities. With the
tamper data add-on, you can view and modify HTTP/HTTPS headers and post parameters. Thus it helps
in security testing web application by modifying POST parameters. It can be used in performing XSS and
SQL Injection attacks by modifying header data.Add the Tamper data add-on to Firefox browser with this
link: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
7. Hackbar
Hackbar is a simple penetration tool for Firefox. It helps in testing simple SQL injection and XSS holes.
You cannot execute standard exploits but you can easily use it to test whether vulnerability exists or not.
You can also manually submit form data with GET or POST requests. It also has encryption and encoding
tools. Most of the times, this tool helps in testing XSS vulnerability with encoded XSS payloads. It also
supports keyboard shortcuts to perform various tasks.I am sure, most of the persons in the security field
already know about this tool. This tool is mostly used in finding POST XSS vulnerabilities because it can
send POST data manually to any page you like. With the ability of manually sending POST form data,
you can easily bypass client side validations of the page. If your payload is being encoded at client side,
you can use an encoding tool to encode your payload and then perform the attack. If the application is
vulnerable to the XSS, I am sure you will find the vulnerability with the help of the Hackbar add-on on
Firefox browser.Add Hackbar add-on to Firefox browser with this link: https://addons.mozilla.org/en-
US/firefox/addon/hackbar/
8. Websecurify
Websecurify is a nice penetration testing tool that is also available as add-on for Firefox. We have
already covered WebSecurify in detail in previous article. WebSecurify can detect most common
vulnerabilities in web applications. This tool can easily detect XSS, SQL injection and other web
application vulnerability. Unlike other listed tools, it is a complete penetration testing tool in itself
available as a browser add-on. It gives most of the features available in standalone tool.Add WebSecurify
to Firefox browser with this link: https://addons.mozilla.org/en-us/firefox/addon/websecurify/
9. Add N Edit Cookies
“Add N Edit Cookies” is a cookie editing add-on that allows you to add and edit cookies data in your
browser. With this tool, you can easily add session data manually in cookies. This tool is performed in
session hijacking attack when you have the active cookies of the user. Edit your cookies to add the data
and hijack the account.To download Add N Edit Cookies to Your Firefox browser:
https://addons.mozilla.org/en-US/firefox/addon/add-n-edit-cookies-13793/
10. XSS Me
Cross Site Scripting is the most found web application vulnerability. For detecting XSS vulnerabilities in
web applications, this add-on can be a useful tool. XSS-Me is used to find reflected XSS vulnerabilities
from a browser. It scans all forms of the page, and then performs an attack on the selected pages with
pre-defined XSS payloads. After the scan is complete, it lists all the pages that renders a payload on the
page, and may be vulnerable to XSS attack. Now, you can manually test the web page to find whether
the vulnerability exists or not.Add XSS Me
to your Firefox browser: https://addons.mozilla.org/en-us/firefox/addon/xss-me/
11. SQL Inject Me
SQL Inject Me is another nice Firefox add-on used to find SQL injection vulnerabilities in web
applications. This tool does not exploit the vulnerability but display that it exists. SQL injection is one of
the most harmful web application vulnerabilities, it can allow attackers to view, modify, edit, add or
delete records in a database.The tool sends escape strings through form fields, and tries to search
database error messages. If it finds a database error message, it marks the page as vulnerable. QA testers
can use this tool for SQL injection testing.Add SQL Inject Me
add-on to your browser: https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me/
12. FlagFox
FlagFox is another interesting add-on. Once installed in the browser, it displays the country’s flag to tell
the location of the web server. It also comes with other tools like whois, WOT scorecard and ping.Add
FlagFox in your browser: https://addons.mozilla.org/en-us/firefox/addon/flagfox/
13. CryptoFox
CryptoFox is an encryption or decryption tool for Mozilla Firefox. It supports most of the available
encryption algorithm. So, you can easily encrypt or decrypt data with supported encryption algorithm.
This add-on comes with dictionary attack support, to crack MD5 cracking passwords. Although, it hasn’t
have good reviews, it works satisfactorily.Add CryptoFox add-on to your browser:
https://addons.mozilla.org/en-US/firefox/addon/cryptofox/
14. Access Me
Access Me, is another add-on for security testing professionals. This add-on is developed by the
company that works on XSS Me and SQL Inject Me. Access Me is the can Exploit-Me tool used for testing
access vulnerabilities in web applications. This tool works by sending several versions of page requests.
A request using the HTTP HEAD verb and a request using a made up SECCOM verb will be sent. A
combination of session and HEAD/SECCOM will also be sent.Add Access Me to Firefox from this link:
InfoSec Institute - The most awarded security trainingcompany
9/9/13 18 Extensions For Turning Firefox Into a Penetration Testing Tool
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/ 3/6
https://addons.mozilla.org/en-US/firefox/addon/access-me/
15. SecurityFocus Vulnerabil ities search plugin
SecurityFocus Vulnerabilities search plugin, is not a security tool but a search plugin that lets users
search for vulnerabilities from the Security Focus database.Add this to Firefox from the link:
https://addons.mozilla.org/en-us/firefox/addon/securityfocus-vulnerabilities-/
16. Packet Storm search plugin
This is another search plugin that lets users search for tools and exploits from packetstormsecurity.org.
The website offers free up-to-date security tools, exploits and advisories.Add this to Firefox from the
link: https://addons.mozilla.org/en-us/firefox/addon/packet-storm-search-plugin/
17. Offsec Exploit-db Search
This is another plugin similar to the last two above. It also lets users search for vulnerabilities and
exploits listed in exploit-db.com. This website is always up-to-date with latest exploits and vulnerability
details.Add this to Firefox from the link: https://addons.mozilla.org/en-us/firefox/addon/offsec-exploit-
db-search/
18. Snort IDS Rule Search
Snort IDS Rule Search is another search add-on for Firefox. It lets users search for Snort IDS rules on the
snort.org website. Snort is the most widely deployed IDS/IPS technology worldwide. It’s an open source
network Intrusion prevention and detection system with more than 400,000 users.Add Snort IDS Rule
Search to Firefox here: https://addons.mozilla.org/en-US/firefox/addon/snort-ids-rule-search/
These are few add-ons that you can use while web application penetration testing. Although, you cannot finish
complete penetration testing work with these tools, but these browser tools are useful for most of the tasks and
reduce the use of separate tools.
Hackbar, SQL Inject Me, XSS Me and WebSecurify are the browser tools that are widely used for finding
vulnerabilities in web applications. Other tools are used for specific work which helps in getting information
while penetration testing.
How to install these add-ons in the Firefox browser
Installation of these add-ons in the Firefox browser is really simple. I added links of each Add-on to make
installation easier. Just follow the link, and you will land on the add-on page. Find the big “download” button to
start downloading. In the next page, you will find terms and conditions. Just below that, you will see the “accept
and install” button. Then it will open a pop-up and installation begins in 3 seconds. After installation is
complete, you will need to restart the browser. Everything is just a click away. I am not describing the process
with screenshots because I assume that you already know how to install add-ons in Mozilla Firefox.
Want to learn more?? The InfoSec Institute Reverse Engineering course teachesyou everything from reverse engineering malware to discovering vulnerabilities in
binaries. These skills are required in order to properly secure an organization from
today's ever evolving threats. In this 5 day hands-on course, you will gainthe necessary binary analysis skills to discover the true nature of any
Windows binary. You will learn how to recognize the high level languageconstructs (such as branching statements, looping functions and network socket
code) critical to performing a thorough and professional reverse engineering
analysis of a binary. Some features of this course include:
CREA Certification
5 days of Intensive Hands-On Labs
Hostile Code & Malware analysis, including: Worms, Viruses, Trojans,
Rootkits and Bots
Binary obfuscation schemes, used by: Hackers, Trojan writers and copy
protection algorithms
Learn the methodologies, tools, and manual reversing techniques used realworld situations in our reversing lab.
VIEW RCE COURSE
Conclusion
9/9/13 18 Extensions For Turning Firefox Into a Penetration Testing Tool
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/ 4/6
Firefox is not only a nice browser, but also a friend of penetration testers and security researchers. With the
given Add-ons, you can enhance the functionality of Firefox in the way that is useful for the penetration testing
process. Some of these tools help in gathering information about a website and its servers. A few other tools
help in intercepting and modifying header information, to perform attacks via headers. In case you are trying to
perform session hijacking, you can use an add-on to edit the cookies with the cookie data stolen from a user’s
browser. SQL Inject ME, XSS Me and Websecurify are semi-automated tools to scan the page, and find the
vulnerabilities that may be on the website. These 3 tools are dedicated security tools with a good success rate.
We have covered WebSecurify in earlier posts. You can read more about the tool to know how it actually works.
Hackbar is the best tool when you want to test a form against Post XSS. Hackbar helps you to manually submit a
form to send POST data. If the app has client side validation in form, and has few limits in length and input, you
can use Hackbar to submit form data manually and see the effect. It also has encoding tools to encode your XSS
payloads, without using any separate tool. Most of the people involved in the security testing field use this tool.
Few tools are just search add-ons that can help you to search exploits and advisories from popular databases.
You can use these add-ons to find the appropriate exploit to perform an attack on the web application, to check
whether the app is affected with this known exploit or not.
I am sure you will like few of these add-ons and will use them in your security testing process.
I personally use Hackbar, SQL Inject Me, XSS me, WebSecurify, Add N Edit Cookies, Live HTTP Headers, Tamper
data, FoxyProxy standard and Firebug.
Which add-on you would like to use? Share your views via comments.
Incoming search terms:
best firefox add on for security researchers
firefox browser hacker addons
penetration test
http session hijacking tools
firefox proxy addon pentesting
information gathering using add-ons
list of firefox hacking extensions
make firefox pen testing add ons
making of a good pen tester
mozilla firefox sql inject me tutorial pdf
feature reverse engineering
About the Author
Pavitra Shandkhdhar is an engineering graduate and a security researcher. His area of interest is
web penetration testing. He likes to find vulnerabilities in websites and playing computer
games in his free time. He is currently a researcher with InfoSec Institute.
Related Posts
3 Comments
Yashwant July 9, 2013 at 1:09 pm - Reply
simple we can say that use OWASP mantra browser..
9/9/13 18 Extensions For Turning Firefox Into a Penetration Testing Tool
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/ 5/6
ARCHIVE
September 2013 (8)
August 2013 (43)
July 2013 (44)
June 2013 (38)
May 2013 (42)
April 2013 (56)
March 2013 (68)
February 2013 (65)
January 2013 (65)
December 2012 (51)
November 2012 (45)
October 2012 (59)
September 2012 (56)
August 2012 (35)
July 2012 (21)
June 2012 (31)
May 2012 (11)
April 2012 (16)
March 2012 (12)
February 2012 (24)
January 2012 (22)
December 2011 (15)
November 2011 (12)
RECENT POSTS
The Hunt for Memory Malware
GDS Burp API – Part I
Security and Hacking apps for Androiddevices
Using Hashes in Computer Security
Penetration Testing of an FTP Service
Python for Web application securityprofessionals
IOS Application Security Part 15 – StaticAnalysis of IOS Applications using iNalyzer
PsyOps and Socialbots
Keygenning: Part I
Penetration Testing for iPhone Applications— Part 6
WEAPON OF ANONYMOUS
Doxing: The Dark Side of Reconnaissance
CATEGORIES
Application Security (134)
Exploit Development (48)
Forensics (61)
General Security (182)
Hacking (304)
Interviews (33)
IT Certifications (65)CCNA (2)
CEH (5)
CISA (16)
CISM (10)
CISSP (33)
MCITP (2)
Malware Analysis (2)
Management, Compliance, & Auditing (48)
Meta (2)
Other (79)
Reverse Engineering (116)
SCADA (5)
Virtualization Security (6)
Wireless Security (10)
POPULAR COMMENTS TAGS POPULAR SEARCH TERMS
Name (required)
Email (required)
Website
Comment
Post Comment
Aman Hardikar July 10, 2013 at 2:12 pm - Reply
I have a list of my favorite at
http://www.amanhardikar.com/mindmaps/BrowserPlugins.html
owasp mantra, hconstf and sandcat are prepakaged browsers that you can also use.
Kaostricks August 31, 2013 at 7:39 am - Reply
I must say that you must consider this list as well
http://www.thegeekyglobe.com/28-best-firefox-add-ons.html
Leave A Response
9/9/13 18 Extensions For Turning Firefox Into a Penetration Testing Tool
resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/ 6/6
October 2011 (12)
September 2011 (1)
August 2011 (2)
July 2011 (7)
June 2011 (22)
May 2011 (30)
April 2011 (33)
March 2011 (24)
February 2011 (7)
January 2011 (2)
December 2010 (3)
November 2010 (7)
October 2010 (1)
September 2010 (1)
August 2010 (4)
July 2010 (2)
iphone, i phone, backtrack 5 r3 tutorial,resources infosecinstitute com, diarmf,network security engineer, w3af tutorial,backtrack 5 r3 tutorial pdf, Backtrack 5,Application Controls, iphone 1, maltego
Back to TopCopyright © 2012 - InfoSec Institute
Ant ivi r us E vasion : The
Making o f a Fu ll ,
Undet ec t ab le US B
Dr opper / S p r eader
September 20, 2012 45
Ideal S ki ll S et Fo r t he
Penet r at ion Test ing
August 27, 2010 44
S LAAC At t ack – 0day
Windows Net wor k
In t er cep t ion
Configu r at ion
Vu lner ab i l i t y
April 04, 2011 39
Dem yst i fy ing Do t NE T
Rever se E ng ineer ing , Par t
1 : Big In t r oduc t ion
October 24, 2012 34