How to turn Firefox into a WebApp Assault Kit.

Posted on 3:51 PM by \\Camwi_003.exe*64

By using some brilliant Firefox extensions you can turn your Firefox-install into a perfect web-application assault kit.

Sometimes I do freelance work as a web-developer and other times i pen-test web sites on request (as a part of my work). I have been doing this for some years now, and by now I’ve collected some Firefox extensions to make the pen-testing a little more enjoyable (read: easier).

So in this post I’m gonna list some Firefox extensions that I use for pen-testing web-applications. But mark my words, these extensions will not turn you into a security professional just because you use them; you will still need knowledge. With knowledge comes power and with great power comes great responsibility, remember that!

Listed in alphabetical order:

Add N Edit Cookies:
Add N Edit Cookies gives you the ability to easily alter, edit or delete cookies, you can’t imagine how many sites there are that uses cookie variables like ‘admin = 0′…

Cookie Watcher:
This little extension shows the value of a selected cookie in your statusbar, this makes it easier to see when or if a cookie changes and that makes it easier to “reverse engineer” it.

Extended Cookie Manager:
This has the same functionality as the popular extension NoScript, but for cookies!

Firebug:
Gives you the ability to edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. (Client-side off course)

FoxyProxy:
Did someone say switching proxies? This extension adds a small icon into your toolbar that shows the current proxy status and a drop down menu of proxies (which you manage in FP’s proxy-manager). It also gives you a nicer and more advanced proxy-manager!

HackBar:
A toolbar that helps you find and exploit SQL-injections.

Live HTTP Headers:
View the HTTP headers of a page requests while you are browsing, now you can ditch ettercap and ethereal ^H^H^H^H^H^H^H^Hwireshark.

Modify Headers:
Did someone say HTTP Header Injection? This tool gives you the power you need to alter any header Firefox sends out, persistent or temporarily.

NoScript:
NoScript allows JavaScript, Java, Flash and any other plugins only for your trusted domain(s). Great for protecting yourself towards the authorities. (Yes, Java can reveal your real IP-number)

RefControl:
Control what gets sent as the HTTP-Referer on a per-site basis.

Tamper Data:
I love this extension; it gives you the ability to view and modify everything from headers to POST-requests sent from your browser. A must have in every web-application hackers toolkit!

User Agent Switcher:
Adds a menu and a toolbar button to switch the user-agent of the browser.

Note that many of these extensions does pretty much the same thing, but they complement each other.

0 comments: