An ordinary web-browser is already in many ways an extremely versatile security tool. However with the addition of just a few select plugins, you can also easily configure your browser to provide a application security assessment platform.
While there are a large number of Firefox plugins that have utility for security assessments, there is also a great deal of feature overlap between several of these projects. For a more comprehensive list of Firefox pentest plugins you can my plugin collection listed here:
DefendLink - Appsec Addons Collection
Here are 10 plugins that are extremely useful and provide unique functionality for application pen-testing (compatible with FF version 23.0 and above):
#1
HACKBAR
Developer
Johan Adriaans, Pedro Laguna
If you have some experience with web-application security testing, then Hackbar is definitely one of the most useful plugins. It automates many of the repetitive tasks involved in manually testing sites for flaws like XSS and SQLi.
#2
TAMPERDATA
Developer
Tamperdata allows you to directly view and modify HTTP/HTTPS headers and post parameters. It's amazing how many web app are still vulnerable to this and rely on client-side input validation.
#3
FIREBUG
Developer
Firebug is an extremely versatile tool and well documented tool. While the emphasis of the tool is debugging, it also has utility for penetration testing due to the ability to quickly dissect the structure of page as well as directly modify page elements.
#4
WAPPALYZER
Developer
Elbert Alias
Wapplazyer allows for the detection of web application components including CMS software, CDN, operating systems, and web server revisions.
#5
Developer
XSSME allows for scanning web forms for common cross-site-scripting reflection attacks (non-persistent only).
#6
SQL Inject Me
Developer
In similar vein to XSSME, SecurityCompass’s other plugin allows for testing of common SQLi injection flaws right from the browser.
#7
PASSIVERECON
Developer
Passive recon provides a number of quick-fire shortcuts for performing
standard profiling of a web-site and its online content in a convenient manner.
It's launched from within the context-menu of the browser. The "Show All" option does a quick info dump on the site.
#8
FOXYPROXY
Developer
FoxyProxy is a Firefox extension which automatically switches an internet connection across one or more proxy servers based on URL patterns. (Handy for toggling between interception proxies like ZAP, Burpesuite, etc).
#9
Cookies Manager+ provides an easy way to view, edit and create new cookies.
It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.
#10
AGENT SWITCHER
Developer
The User Agent Switcher extension adds a menu and a toolbar button to alter the user agent of a browser. This plugin includes common user agents for mobile platforms, and web spiders as well.
Conclusion
#1
HACKBAR
Developer
Johan Adriaans, Pedro Laguna
|
If you have some experience with web-application security testing, then Hackbar is definitely one of the most useful plugins. It automates many of the repetitive tasks involved in manually testing sites for flaws like XSS and SQLi.
| |
#2
TAMPERDATA
Developer
|
Tamperdata allows you to directly view and modify HTTP/HTTPS headers and post parameters. It's amazing how many web app are still vulnerable to this and rely on client-side input validation.
| |
#3
FIREBUG
Developer
|
Firebug is an extremely versatile tool and well documented tool. While the emphasis of the tool is debugging, it also has utility for penetration testing due to the ability to quickly dissect the structure of page as well as directly modify page elements.
| |
#4
WAPPALYZER
Developer
Elbert Alias
|
Wapplazyer allows for the detection of web application components including CMS software, CDN, operating systems, and web server revisions.
| |
#5
Developer
|
XSSME allows for scanning web forms for common cross-site-scripting reflection attacks (non-persistent only).
| |
#6
SQL Inject Me
Developer
|
In similar vein to XSSME, SecurityCompass’s other plugin allows for testing of common SQLi injection flaws right from the browser.
| |
#7
PASSIVERECON
Developer
|
Passive recon provides a number of quick-fire shortcuts for performing
standard profiling of a web-site and its online content in a convenient manner.
It's launched from within the context-menu of the browser. The "Show All" option does a quick info dump on the site. | |
#8
FOXYPROXY
Developer
|
FoxyProxy is a Firefox extension which automatically switches an internet connection across one or more proxy servers based on URL patterns. (Handy for toggling between interception proxies like ZAP, Burpesuite, etc).
| |
#9
| Cookies Manager+ provides an easy way to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them. | |
#10
AGENT SWITCHER
Developer
| The User Agent Switcher extension adds a menu and a toolbar button to alter the user agent of a browser. This plugin includes common user agents for mobile platforms, and web spiders as well. |