By using some brilliant Firefox extensions you can turn your Firefox-install into a perfect web-application assault kit.
Sometimes I do freelance work as a web-developer and other times i pen-test web sites on request (as a part of my work). I have been doing this for some years now, and by now I’ve collected some Firefox extensions to make the pen-testing a little more enjoyable (read: easier).
So in this post I’m gonna list some Firefox extensions that I use for pen-testing web-applications. But mark my words, these extensions will not turn you into a security professional just because you use them; you will still need knowledge. With knowledge comes power and with great power comes great responsibility, remember that!
Listed in alphabetical order:
Add N Edit Cookies:
Add N Edit Cookies gives you the ability to easily alter, edit or delete cookies, you can’t imagine how many sites there are that uses cookie variables like ‘admin = 0′…
Cookie Watcher:
This little extension shows the value of a selected cookie in your statusbar, this makes it easier to see when or if a cookie changes and that makes it easier to “reverse engineer” it.
Extended Cookie Manager:
This has the same functionality as the popular extension NoScript, but for cookies!
Firebug:
Gives you the ability to edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. (Client-side off course)
FoxyProxy:
Did someone say switching proxies? This extension adds a small icon into your toolbar that shows the current proxy status and a drop down menu of proxies (which you manage in FP’s proxy-manager). It also gives you a nicer and more advanced proxy-manager!
HackBar:
A toolbar that helps you find and exploit SQL-injections.
Live HTTP Headers:
View the HTTP headers of a page requests while you are browsing, now you can ditch ettercap and ethereal ^H^H^H^H^H^H^H^Hwireshark.
Modify Headers:
Did someone say HTTP Header Injection? This tool gives you the power you need to alter any header Firefox sends out, persistent or temporarily.
NoScript:
NoScript allows JavaScript, Java, Flash and any other plugins only for your trusted domain(s). Great for protecting yourself towards the authorities. (Yes, Java can reveal your real IP-number)
RefControl:
Control what gets sent as the HTTP-Referer on a per-site basis.
Tamper Data:
I love this extension; it gives you the ability to view and modify everything from headers to POST-requests sent from your browser. A must have in every web-application hackers toolkit!
User Agent Switcher:
Adds a menu and a toolbar button to switch the user-agent of the browser.
Note that many of these extensions does pretty much the same thing, but they complement each other.