2010 was supposed to be the year of the Tiger, but it’s felt more like the year of Pwny so far. This article covers some Firefox add-ons that help you test your own apps, whether you’re working with a penetration tester, or by default, you are the penetration tester.
I’ll start with the obvious candidates that you probably already have installed if you’re a developer. I’ve also added a few that are useful for post-hack diagnostics and recovery.
DNS Cache – simple addon that lets you clear or disable Firefox’s DNS cache. Not specifically for pen testing, but useful nonetheless.
Notable – love this addon, which lets you do a full-page screenshot with annotations over at notableapp.com. As you’re testing, there’s a good chance you’re going to need to show your other devs or account managers a screenshot so they can see the vulnerability being exploited. While something simple like Fireshot would work fine (or native screenshots), I like using Notable for complex situations that require explanations on multiple points on the page. Exports to annotated PDF.
SQL Inject Me – helps test for SQL injection vulnerabilities.
XSS Me – used to test for reflected Cross-Site Scripting (XSS). It does NOT currently test for stored XSS.
Access Me – used to test some access vulnerabilities related to web applications. The tool works by sending several versions of the last page request. A request with the session removed will be sent. A request using the HTTP HEAD verb and a request using a made up SECCOM verb will be sent. A combination of session and HEAD/SECCOM will also be sent.
Hackbar – helps with testing sql injections, XSS holes and site security. Ugly as sin, but it works well.
Header and URL Monitoring/Tampering
Note that some of these addons do similar things – try them and stick with whichever one you like best.
HttpFox – monitors and analyzes all incoming and outgoing HTTP traffic between the browser and the web servers.
Live HTTP Headers – view HTTP headers of a page and while browsing.
Modify Headers – add, modify and filter http request headers. You can modify the user-agent string, add headers to spoof a mobile request (e.g. x-up-calling-line-id) and much more.
Tamper Data – use tamperdata to view and modify HTTP/HTTPS headers and post parameters, trace and time http response/requests and security test web applications by modifying POST parameters.
User Agent Switcher – allows you to easily toggle between pre-set user agent strings, or set your own.
Header Spy – lightweight addon that displays information about the website’s server in your statusbar. This is not as useful for pen testing as it is for impressing the crap out of clients who don’t know what server they’re running. 😛
Host Spy – integrated shortcut to show you who a website’s IP neighbors are on shared hosting.
ShowIP – Small addons that shows the IP address of the website in your statusbar and a link to some additional tools.
URL Flipper – quickly and easily increment and decrement numbers and strings in URLs for navigating through URL sequences (for example, user ids or session info in the query string.)
Offensive Security Exploit Database – this adds the excellent database of exploits at exploit-db.com as one of your search engine options.
I’ve also just created a search plugin for XSSed.Com,
but it’s pending approval at Mozilla, so not sure when that will be ready for you which can be downloaded here. It’s not exactly rocket science to add a new search site to your browser search bar, but I figured it was quick and easy to whip up. Feel free to check out the source code for the plugin here.
Too Many Addons Got You Down?
If you’re finding your plugins are slowing down Firefox too much, you might want to create a separate Firefox profile specifically for testing, and switch to that profile when you’re ready to start hammering away. Also bear in mind that you might need to tweak some settings on these, or only enable them right before you use them, as the toolbars and sidebars can be a bit bulky.
Also keep in mind that the Net option on the web developers toolbar, or any of the header analyzer addons can be very helpful in general testing between dev and live environments (load the page on live and make sure nothing is being pulled from the dev address) and also to make sure your SSL requests are being handled correctly.
Some Additional Thoughts…
When folks ask me how I do penetration testing – whether I use software, or do it by hand – the best way I can answer is “both”. Software will only ever get you so far, but it’s a critical tool in helping you figure out where the vulnerabilities are. It’s not unlike using a metal detector to find treasure. When the metal detector is doing its job, it finds, well, metal. Not necessarily treasure, although fancier metal detectors have additional software that helps try to identify the buried object by shape and size. You still have to physically dig up the item and rely on your knowledge and experience to determine whether or not it really is treasure, or just junk. The metal detector simply finds something that meets a basic set of requirements, to save you from having to dig up every square inch of the beach.
The reason I ended this post with a long-winded ramble is because I wanted to make it clear that just having the tools isn’t enough. Actually using them, and knowing what to do with the results are important. Understanding the basic mechanics of how exploits work is the only way you can make sure your applications are written to mitigate them. Having the tools installed but never understanding or using them is like buying a metal detector and keeping in the closet and then wondering why you haven’t found anything valuable yet.
If you’re interested in learning more about web application penetration testing and security, check out the following books:
- The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws
- Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast
- Foundations of Security: What Every Programmer Needs to Know
- Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques
How Do You XSS?
These addons are not obviously meant to be a replacement for more capable and thorough penetration testing tools such as metaploit, netsparker, etc. They’re just meant to be a convenient way for developers to test code during and after development.
There is a more comprehensive collection of addons listed here, but this is what I use. If you’ve got a favorite that I’ve missed, please be sure to share in the comments!