16Mar Turning firefox into a WA assault kit
By using some brilliant Firefox extensions you can turn your Firefox-install into a perfect web-application assault kit.
Sometimes I do freelance work as a web-developer and other times i pen-test web sites on request (as a part of my work). I have been doing this for some years now, and by now I’ve collected some Firefox extensions to make the pen-testing a little more enjoyable (read: easier).
So in this post I’m gonna list some Firefox extensions that I use for pen-testing web-applications. But mark my words, these extensions will not turn you into a security professional just because you use them; you will still need knowledge. With knowledge comes power and with great power comes great responsibility, remember that!
Listed in alphabetical order:
Add N Edit Cookies:
Add N Edit Cookies gives you the ability to easily alter, edit or delete cookies, you can’t imagine how many sites there are that uses cookie variables like ‘admin = 0′…
Cookie Watcher:
This little extension shows the value of a selected cookie in your statusbar, this makes it easier to see when or if a cookie changes and that makes it easier to “reverse engineer” it.
Extended Cookie Manager:
This has the same functionality as the popular extension NoScript, but for cookies!
Firebug:
Gives you the ability to edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. (Client-side off course)
FoxyProxy:
Did someone say switching proxies? This extension adds a small icon into your toolbar that shows the current proxy status and a drop down menu of proxies (which you manage in FP’s proxy-manager). It also gives you a nicer and more advanced proxy-manager!
HackBar:
A toolbar that helps you find and exploit SQL-injections.
Live HTTP Headers:
View the HTTP headers of a page requests while you are browsing, now you can ditch ettercap and ethereal ^H^H^H^H^H^H^H^Hwireshark.
Modify Headers:
Did someone say HTTP Header Injection? This tool gives you the power you need to alter any header Firefox sends out, persistent or temporarily.
NoScript:
NoScript allows JavaScript, Java, Flash and any other plugins only for your trusted domain(s). Great for protecting yourself towards the authorities. (Yes, Java can reveal your real IP-number)
RefControl:
Control what gets sent as the HTTP-Referer on a per-site basis.
Tamper Data:
I love this extension; it gives you the ability to view and modify everything from headers to POST-requests sent from your browser. A must have in every web-application hackers toolkit!
User Agent Switcher:
Adds a menu and a toolbar button to switch the user-agent of the browser.
Note that many of these extensions does pretty much the same thing, but they complement each other.
June 15th, 2008 at 10:56 pm
I disagree about ditching Wireshark for Live HTTP Headers. Wireshark is way more advanced and also built for a wider range of uses.
Other than that, thanks for the Hackbar pointer. I like that.
June 16th, 2008 at 2:21 am
The script kiddies will love this one, for sure.
June 16th, 2008 at 5:28 am
There’s no script to run here… this is only useful if you know what you’re doing. Way to throw your two cents in tho.
June 17th, 2008 at 6:14 am
Hey Legit… without explaining how to make practical use of these tools, there is nothing here at all for the script kiddies. You install them all, kick on off and say, great… there’s my header… now what can I do with it. If you don’t know much about what headers do, are used for and what they can affect, for example, you won’t get anything at all out of these tools except a glimpse of your header (which does you no good at all).
June 18th, 2008 at 2:48 am
Instead of griping, would someone like to provide an explanation or link so that said “script kiddies” could use these add-ons efficiently?
June 18th, 2008 at 5:49 pm
Hi Brad, I thought I’d help you out. Here’s a summary of the conversation thus far that you can hopefully understand:
Legit: This is bad because no-talent a-holes can use it to mess stuff up.
You are a tool: No they can’t, don’t worry.
Tigel: No they can’t, don’t worry.
Brad: Hi, I’m a no-talent a-hole. How can I use this stuff?
Hate: Brad, you’re retarded.
June 18th, 2008 at 5:51 pm
Brad….
Holy shit man, do you know how bad of an idea that is?
imagine: your little brother, who knows nothing about hacking, stumbles across this link you are asking for, and starts going nuts on the internet in the completely [i]wrong[/i] way. one day, he makes the mistake of trying to “hack” his way into a [i]real[/i] hacker’s website/computer, and ends up getting his ass raped by someone who knows what the hell he’s doing.
now, multiply that by the number of people who see the links (potentially millions of people)
there’s a reason they’re called “script kiddies”. they may not be young in body, but they are [i]all[/i] children.
June 19th, 2008 at 8:53 am
the internet is shit.
[rant]
would a hacker really waste time on http bullshit? rarely.
99% of idiots who claim to be hackers are script kiddies themselves.
also, hacker is the wrong terminology here. the term you use for someone who tries to break security of any type should be cracker.
a hacker is someone who produces some useful work for either himself (the selfish hacker) or the community (ex. the good ol boys of linux.)
hackers create. crackers destroy.
I’m not saying one takes more skill than another, just that they are completely different. the crackers usually end up in jail soon enough when they find out they can’t be invisible.
although i have little respect for web crackers, I do respect the reversers a hell of a lot more, since their skill actually comes in handy when there is a large body of work that can be used as inspiration but no way to interpret it other than byte code.[/rant]
June 20th, 2008 at 4:57 am
Hate - you rock :)
June 21st, 2008 at 11:19 pm
@haha
Thanks for saving me the time it would have taken to type all that up.
June 23rd, 2008 at 5:26 am
I think this a pretty good post and those of you claiming that this will fuel the skiddies etc are simply wrong. They need more than just the tools to do anything.
On my blog I have a very similar article (in fact I wonder if the author read it :P ) with a follow up on using Tamper Data. I will be going into the usage of the other tools I have listed there too.
June 23rd, 2008 at 6:21 pm
the internet is shit
This comment alone makes me realize the useless of you and your extreme lack of knowledge. Based on that comment, you should not be taken seriously because you obviously have NO clue. Go post somewhere where you can be a half-wit jacka$$ and still be taken serious. How dumb.
June 23rd, 2008 at 6:23 pm
I agree, haha sounds like an idiot. This is a guy who read an article about hackers and now things he’s an authority.
June 25th, 2008 at 6:18 am
I have 3 extenstions to firefox. StumbleUpon, iMacros, and Noscript. The rest can gtfo and I can do everything much quicker manually.
btw, tl;dr = skid tools
June 26th, 2008 at 3:11 am
“would a hacker really waste time on http bullshit? rarely. ”
FACT: As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities.
A note on the nature of things:
Any “hacking tool” that was as easy as point-and-click would be instantly popular and just as quickly universally protected against.
June 27th, 2008 at 5:06 pm
It’s sad how any post about sec tools always disintegrates into a script kiddy flame war. The reality is that Brad was just asking for information on what the tools are about and how they could be used, not a step-by-step guide on how to use them to exploit a system. Why not give a few links with information about http-header injection or XSS that provide an overview and not a link to something that directly walks them through the process of attacking a site?
You’re applying the same argument that people use against violence in video games, sex on tv, and bans on “underage” drinking. That of, “the people shouldn’t be exposed to any of it lest they become murdering alcoholic sex addicts”. Simple good judgment in exposure is all that is required. Show a little tit but not 2 girls 1 cup.
June 27th, 2008 at 5:25 pm
Brad ive always been told if you dont know dont ask….. google will never tell you that
June 30th, 2008 at 5:09 am
But seriously, if there was a site that explained how to uses these add-ons to their fullest, what would I type into Google to get there? Just theoretically…
June 30th, 2008 at 12:07 pm
Just google search the FBI and ask those fine gentlemen to give you a what’s what in the world you’re about to enter.
Great post.
June 30th, 2008 at 3:07 pm
@John
I agree… thanks for not making me have to type that up myself
though info on headers can be found online… IF you look in the right places you can find exactly what you need. we shouldn’t hold back all info for fear of script kiddies (we don’t want to hinder the growth of, possibly, some people who actually WANT to learn the stuff) but we shouldn’t make it too easy on them either.
July 2nd, 2008 at 2:34 am
Nice. Tools are great. The new douche’s should just go learn like we all had too. Good Luck
July 2nd, 2008 at 7:02 am
@John
No. This isn’t the same as censorship. Refusing a quick summary to the script kiddies who come on here asking for a tutorial is closer to IRC vets telling newbies to RTFM.
We’re not trying to restrict the information from the newb hackers out there, but we recognize that it’s the kind of information that should require WORK and EFFORT to acquire.
I, for one, support telling anyone who comes onto this thread asking for a rundown on hacking to RTFM or JFGI. Normally, I’d be happy to provide a link…but I don’t want to be holding the hand of someone who might be trying to nuke my nameserver later.
July 3rd, 2008 at 6:07 pm
I just thought I would point out the fact that I think Brad misinterpreted the phrase “script kiddies.” He asked how to use the add-ons “efficiently” and in no way asked about how to use them for anything illegal. Sounded to me like he just wanted to learn a little more about what these add-ons are made for and what they can and should be used to do.
July 4th, 2008 at 7:10 am
I have always wanted to get into hacking/cracking, and the only thing that has held me up thus far is a lack of resourse to aquire the information. Perhaps if someone could tell me what the hard way to find/learn this information is, be it a 5k page manual I have to read, or a 4 year school course I could attend, I would go and do so. Perhaps instead of walking someone through it, or saying RTFM one of you geniuses could post some useful, if difficult to attain, advice, as opposed to congradulating each other on the lame flames and insults, or arguing the semantics of “help”, those who do have a genuine interest in learning could move along in their aspirations…
Just a thought.
-Master Spider
July 8th, 2008 at 12:21 am
I find it hilarious how all of you losers think you know more than the people before you when you yourself are merely showing your childishness by attempting to make yourself look intelligent and by calling yourself “Hackers” you put shame to the ones who actually Hack.
And to explain it in laymen-terms for all of you “JUST GROW UP AND STFU PLEASE”