Thursday, September 12, 2013

10 Useful Firefox Plugins For Pen-Testing

Weaponizing Your Web Browser  
An ordinary web-browser is already in many ways an extremely versatile security tool.  However with the addition of just a few select plugins, you can also easily configure your browser to provide a application security assessment platform.

While there are a large number of Firefox plugins that have utility for security assessments, there is also a great deal of feature overlap between several of these projects.    For a more comprehensive list of Firefox pentest plugins you can my plugin collection listed here:
DefendLink - Appsec Addons Collection

Here are 10 plugins that are extremely useful and provide unique functionality for application pen-testing (compatible with FF version 23.0 and above):




Johan Adriaans, Pedro Laguna
If you have some experience with web-application security testing, then Hackbar is definitely one of the most useful plugins.  It automates many of the repetitive tasks involved in manually testing sites for flaws like XSS and SQLi.


Tamperdata allows you to directly view and modify HTTP/HTTPS headers and post parameters. It's amazing how many web app are still vulnerable to this and rely on client-side input validation.


Firebug is an extremely versatile tool and well documented tool.  While the emphasis of the tool is debugging, it also has utility for penetration testing due to the ability to quickly dissect the structure of page as well as directly modify page elements.


Elbert Alias
Wapplazyer allows for the detection of web application components including  CMS software, CDN, operating systems, and web server revisions.


XSSME allows for scanning web forms for common cross-site-scripting reflection attacks (non-persistent only).
SQL Inject Me

In similar vein to XSSME, SecurityCompass’s other plugin allows for testing of common SQLi injection flaws right from the browser.

Passive recon provides a number of quick-fire shortcuts for performing
standard profiling of a web-site and its online content in a convenient manner. 

It's launched from within the context-menu of the browser. The "Show All" option does a quick info dump on the site.


FoxyProxy is a Firefox extension which automatically switches an internet connection across one or more proxy servers based on URL patterns. (Handy for toggling between interception proxies like ZAP, Burpesuite, etc).

Cookies Manager+ provides an easy way to view, edit and create new cookies. 
It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.



The User Agent Switcher extension adds a menu and a toolbar button to alter the user agent of a browser.  This plugin includes common user agents for mobile platforms, and web spiders as well.


You might ask with so many feature-rich web application scanners on the market why even bother with browser extensions?  The simple answer is that the true application security assessments should never rely solely on scan results  but instead take the time and effort required to validate vulnerabilities as well uncover the many issues that scanners often will not detect. The  plugins listed above provide functionality that can accelerate this manual review and validation efforts. 

Ideas/Further Reading?

(Great set of problems for practicing your exploit skills).

What plugins do you find most useful for pen-testing? Do you have any experience using chrome extensions for web application assessments?   I'd love to hear your thoughts.