Turning Firefox Into A Web Application Assault Kit - March 2008

By using some brilliant Firefox extensions you can turn your Firefox-install into a perfect web-application assault kit.

Sometimes I do freelance work as a web-developer and other times i pen-test web sites on request (as a part of my work). I have been doing this for some years now, and by now I've collected some Firefox extensions to make the pen-testing a little more enjoyable (read: easier).

So in this post I'm gonna list some Firefox extensions that I use for pen-testing web-applications. But mark my words, these extensions will not turn you into a security professional just because you use them; you will still need knowledge.

With knowledge comes power and with great power comes great responsibility, remember that!

Listed in alphabetical order

Add N Edit Cookies:

Add N Edit Cookies gives you the ability to easily alter, edit or delete cookies, you can't imagine how many sites there are that uses cookie variables like 'admin = 0'...

Cookie Watcher:

This little extension shows the value of a selected cookie in your statusbar, this makes it easier to see when or if a cookie changes and that makes it easier to "reverse engineer" it.

Extended Cookie Manager:

This has the same functionality as the popular extension NoScript, but for cookies!

Firebug:

Gives you the ability to edit, debug and monitor CSS, HTML, and JavaScript live in any web page. (Client-side off course)

FoxyProxy:

This extension adds a small icon into your toolbar that shows the current proxy status and a drop down menu of proxies (which you manage in FP's proxy-manager). It also gives you a nicer and more advanced proxy-manager!

Hackbar:

A toolbar that helps you find and exploit SQL-injections.

Live HTTP Headers:

View the HTTP headers of a page requests while you are browsing, now you can ditch ettercap and ethereal ^H^H^H^H^H^H^H^Hwireshark.

Modify Headers:

Did someone say HTTP Header Injection? This tool gives you the power you need to alter any header Firefox sends out, persistent or temporarily.

NoScript:

NoScript allows JavaScript, Java, Flash and any other plugins only for your trusted domain(s). Great for protecting yourself towards the authorities. (Yes, Java can reveal your real IP-number)

RefControl:

Control what gets sent as the HTTP-Referer on a per-site basis.

Tamper Data:

I love this extension; it gives you the ability to view and modify everything from headers to POST-requests sent from your browser. A must have in every web-application hackers toolkit!

User Agent Switcher:

Adds a menu and a toolbar button to switch the user-agent of the browser.

Note that many of these extensions does pretty much the same thing, but they complement each other.

content

• ← back
• A Web Application Hackers Toolkit
• An Alarm Clock Scripted In Bash
• Permalinks In Rails
• Salt Your Passwords
• The Operating System Fanboy War
• Turning Firefox Into A Web Application Assault Kit

---