How to turn Firefox into a WebApp Assault Kit.

Posted on 3:51 PM by \\Camwi_003.exe*64

By using some brilliant Firefox extensions you can turn your Firefox-install into a perfect web-application assault kit.

Sometimes I do freelance work as a web-developer and other times i pen-test web sites on request (as a part of my work). I have been doing this for some years now, and by now I’ve collected some Firefox extensions to make the pen-testing a little more enjoyable (read: easier).

So in this post I’m gonna list some Firefox extensions that I use for pen-testing web-applications. But mark my words, these extensions will not turn you into a security professional just because you use them; you will still need knowledge. With knowledge comes power and with great power comes great responsibility, remember that!

Listed in alphabetical order:

Add N Edit Cookies:
Add N Edit Cookies gives you the ability to easily alter, edit or delete cookies, you can’t imagine how many sites there are that uses cookie variables like ‘admin = 0′…

Cookie Watcher:
This little extension shows the value of a selected cookie in your statusbar, this makes it easier to see when or if a cookie changes and that makes it easier to “reverse engineer” it.

Extended Cookie Manager:
This has the same functionality as the popular extension NoScript, but for cookies!

Gives you the ability to edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. (Client-side off course)

Did someone say switching proxies? This extension adds a small icon into your toolbar that shows the current proxy status and a drop down menu of proxies (which you manage in FP’s proxy-manager). It also gives you a nicer and more advanced proxy-manager!

A toolbar that helps you find and exploit SQL-injections.

Live HTTP Headers:
View the HTTP headers of a page requests while you are browsing, now you can ditch ettercap and ethereal ^H^H^H^H^H^H^H^Hwireshark.

Modify Headers:
Did someone say HTTP Header Injection? This tool gives you the power you need to alter any header Firefox sends out, persistent or temporarily.

NoScript allows JavaScript, Java, Flash and any other plugins only for your trusted domain(s). Great for protecting yourself towards the authorities. (Yes, Java can reveal your real IP-number)

Control what gets sent as the HTTP-Referer on a per-site basis.

Tamper Data:
I love this extension; it gives you the ability to view and modify everything from headers to POST-requests sent from your browser. A must have in every web-application hackers toolkit!

User Agent Switcher:
Adds a menu and a toolbar button to switch the user-agent of the browser.

Note that many of these extensions does pretty much the same thing, but they complement each other.