Firefox is a popular web browser from Mozilla. Popularity of Firefox is not only because it’s a good web browser, it also supports add-ons to enhance the functionality. Mozilla has a website add-on section that has thousands of useful add-ons in different categories. Some of these add-ons are useful for penetration testers and security analysts. These penetration testing add-ons helps in performing different kinds of attacks, and modify request headers direct from the browser. This way, it reduces the use of a separate tool for most of the penetration testing and Hacking related tasks.
1. Websecurify
Websecurify Suite is a collection of web application security tools available from inside your browser. The Suite is easy to use, fast, efficient, reliable and always available.Websecurify is a nice penetration testing tool that is also available as add-on for Firefox. We have already covered WebSecurify in detail in previous article. WebSecurify can detect most common vulnerabilities in web applications. This tool can easily detect XSS, SQL injection and other web application vulnerability. Unlike other listed tools, it is a complete penetration testing tool in itself available as a browser add-on. It gives most of the features available in standalone tool.
More awesome features:
• Easy to use
• Always available
• Runs inside your browser
• Easily extensible with browser extensions
• Exportable reports• Integration with 3rd-party tools
• Automated and manual testing capabilities
• Instantaneous updates
• The full and complete testing engine
• Fully configurable
• Flexible, hassle-free
• Can test OWASP TOP 10 and WASC• Observing HTTP request & responses
• Resend HTTP requests
• Cherry-pick the tools you need the most
• Fun to use
2. User Agent Switcher
User Agent Switcher add-on; adds a one click user agentswitch to the browser. It adds a menu and tool bar button in thebrowser. Whenever you want to switch the user agent, use the browser button. User Agent add on helps in spoofing
the browser while performing some attacks.
3. HackBar
HackBar will help you in testing sql injections, XSS holes and site security.
It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site.
Its main purpose is to help a developer do security audits on his code.
If you know what your doing, this toolbar will help you do it faster.
If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, a lot of Google and a brain
advantages:
– Even the most complicated urls will be readable
– The focus will stay on the textarea, so after executing the url (Ctrl+Enter) you can just go on typing / testing
– The url in textarea is not affected by redirects.
– I tend to use it as a notepad 🙂
– Useful tools like on the fly uu/url decoding etc.
– All functions work on the currently selected text.
– MD5/SHA1/SHA256 hashing
– MySQL/MS SQL Server/Oracle shortcuts
– XSS useful functions
– And lots more 😉 Go test it!
Shortcuts
– Load url ( Alt + A )
– Split url ( Alt + S )
– Execute ( Alt + X, Ctrl + Enter )
– INT -1 ( Alt – )
– INT +1 ( Alt + )
– HEX -1 ( Ctrl Alt – )
– HEX +1 ( Ctrl + Alt + )
– MD5 Hash ( Alt + M )
– MySQL CHAR() ( Alt + Y )
– MS SQL Server CHAR() ( Alt + Q )
4. Firebug
Firebug is an add-on for Firefox that provides access to browser internals. It features live editing of HTML and CSS, a DOM viewer, and a JavaScript debugger.Web application security testers appreciate the ability to see what’s happening behind the scenes of the browser.Firebug is a free and open-source web browser extension for Mozilla Firefox that facilitates the live debugging, editing, and monitoring of any website’s CSS, HTML, DOM, XHR, and JavaScript.
Firebug integrates with Firefox to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
Features
>Inspect HTML and modify style and layout in real-time
>Use the most advanced JavaScript debugger available for any browser
>Accurately analyze network usage and performance
>Extend Firebug and add features to make Firebug even more powerful
>Get the information you need to get it done with Firebug
New features for Firebug users:
>Performance Panel – The Performance tool gives you insight into your site’s general responsiveness, JavaScript and layout performance.
>Memory Panel – The Memory tool lets you take a snapshot of the current tab’s memory heap.
>Web Audio Editor, Shader Editor and Canvas – Developer Tools for debugging media-rich content on the web.
>Storage Inspector – The Storage Inspector enables you to inspect various types of storage that a web page can use (cache, cookies, local & session storage, indexedDB).
>Responsive Design Mode– Responsive Design Mode makes it easy to see how your website or web app will look on different screen sizes.
>Animation Inspector – The Animation Inspector displays animations in the page synchronized along a timeline, with a draggable widget you can use to move to any point in the timeline and see the page at that point.
And more
5. Tamper Data
Tamper Data is an add-on for Firefox that lets you view and modify HTTP requests before they are sent.
It shows what information the web browser is sending on your behalf, such as cookies and hidden form fields. Use of this plugin can reveal web applications that trust the client not to misbehave.
Security and Privacy
All data in request headers and body is recorded.
Be aware of this when surfing to sites that request passwords etc.
e.g. it may not be a good idea to leave this extension running while performing online banking.
Compatibility
As this tool modifies values in the request other tools such as live http headers (which the complicated parts of this code are based on) may not work correctly at the same time as tamperdata.
6. NoScript
>NoScript (or NoScript Security Suite) is a free and open-source extension for Mozilla Firefox, SeaMonkey, and other Mozilla-based web browsers, created and actively maintained by Giorgio Maone,an Italian software developer and member of the Mozilla Security Group.
>NoScript allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins only if the site hosting is considered trusted by its user and has been previously added to a whitelist.
>NoScript also offers specific countermeasures against security exploits.
>NoScript is an add-on for Firefox that blocks JavaScript, Java, Flash, and other plugin content (allowing you to selectively re-enable them for certain sites).
>It also offers cross-site scripting protection. This is mainly designed to keep web users safe, but security testers can also use the add-on to see what scripts a site is using.
7. SQL Inject Me
SQL Inject Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.
The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
8. Web Developer
Web Developer is another nice add-on that adds various web development tools in the browser. It helps in web application penetration testing.
9. CryptoFox
CryptoFox is an encryption or decryption tool for Mozilla Firefox. It supports most of the available encryption algorithm. So, you can easily encrypt or decrypt data with supported encryption algorithm. This add-on comes with dictionary attack support, to crack MD5 cracking passwords. Although, it hasn’t have good reviews, it works satisfactorily.
CryptoFox supports the following:
- AES 128-bit Encrypt
- AES 128-bit Decrypt
- AES 192-bit Encrypt
- AES 192-bit Decrypt
- AES 256-bit Encrypt
- AES 256-bit Decrypt
- ASCII to Binary
- ASCII to Hexadecimal
- Base 64 Encode
- Base 64 Decode
- Binary to ASCII
- Binary to Decimal
- Binary to Hexadecimal
- Binary to Octal
- Ceaser Encrypt
- Ceaser Decrypt
- Decimal to Binary
- Decimal to Hexadecimal
- Decimal to Octal
- DES Encrypt
- Generate CRC32 Checksum
- Hexadecimal to ASCII
- Hexadecimal to Binary
- Hexadecimal to Decimal
- Hexadecimal to Octal
- HTML Entities Encode
- MD5 Dictionary attack
- MD5 Encrypt
- Morse Code Encrypt
- Morse Code Decrypt
- Octal to Binary
- Octal to Decimal
- Octal to Hexadecimal
- Reverse
- ROT-13
- SHA1 Encrypt
- SHA256 Encrypt
- URL Encode
- URL Decode
- XOR Encrypt
10. FoxyProxy Standard
FoxyProxy is an advanced proxy management add-on for Firefox browser. It improves the built-in proxy capabilities of Firefox. There are few other similar kind of proxy management add-ons available, but it offers more features that other add-ons. Based on the URL patterns, it switches internet connection across one or more proxy servers. When proxy is in use, it also displays an animated icon. In case you want to see the proxies used by the tool, you can see the logs.
>Switch proxies with URL pattern matching
>Custom colors make it easy to see which proxy is in use
>Advanced logging shows you which proxies were used and when
>Automatically synchronize all of your proxy settings with your other Firefox instances when you use Firefox Sync. Import/Export settings to files when not using Firefox Sync
Websecurify Suite is a collection of web application security tools available from inside your browser. The Suite is easy to use, fast, efficient, reliable and always available.Websecurify is a nice penetration testing tool that is also available as add-on for Firefox. We have already covered WebSecurify in detail in previous article. WebSecurify can detect most common vulnerabilities in web applications. This tool can easily detect XSS, SQL injection and other web application vulnerability. Unlike other listed tools, it is a complete penetration testing tool in itself available as a browser add-on. It gives most of the features available in standalone tool.
More awesome features:
• Easy to use
• Always available
• Runs inside your browser
• Easily extensible with browser extensions
• Exportable reports• Integration with 3rd-party tools
• Automated and manual testing capabilities
• Instantaneous updates
• The full and complete testing engine
• Fully configurable
• Flexible, hassle-free
• Can test OWASP TOP 10 and WASC• Observing HTTP request & responses
• Resend HTTP requests
• Cherry-pick the tools you need the most
• Fun to use
2. User Agent Switcher
User Agent Switcher add-on; adds a one click user agentswitch to the browser. It adds a menu and tool bar button in thebrowser. Whenever you want to switch the user agent, use the browser button. User Agent add on helps in spoofing
the browser while performing some attacks.
3. HackBar
HackBar will help you in testing sql injections, XSS holes and site security.
It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site.
Its main purpose is to help a developer do security audits on his code.
If you know what your doing, this toolbar will help you do it faster.
If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, a lot of Google and a brain
advantages:
– Even the most complicated urls will be readable
– The focus will stay on the textarea, so after executing the url (Ctrl+Enter) you can just go on typing / testing
– The url in textarea is not affected by redirects.
– I tend to use it as a notepad 🙂
– Useful tools like on the fly uu/url decoding etc.
– All functions work on the currently selected text.
– MD5/SHA1/SHA256 hashing
– MySQL/MS SQL Server/Oracle shortcuts
– XSS useful functions
– And lots more 😉 Go test it!
Shortcuts
– Load url ( Alt + A )
– Split url ( Alt + S )
– Execute ( Alt + X, Ctrl + Enter )
– INT -1 ( Alt – )
– INT +1 ( Alt + )
– HEX -1 ( Ctrl Alt – )
– HEX +1 ( Ctrl + Alt + )
– MD5 Hash ( Alt + M )
– MySQL CHAR() ( Alt + Y )
– MS SQL Server CHAR() ( Alt + Q )
4. Firebug
Firebug is an add-on for Firefox that provides access to browser internals. It features live editing of HTML and CSS, a DOM viewer, and a JavaScript debugger.Web application security testers appreciate the ability to see what’s happening behind the scenes of the browser.Firebug is a free and open-source web browser extension for Mozilla Firefox that facilitates the live debugging, editing, and monitoring of any website’s CSS, HTML, DOM, XHR, and JavaScript.
Firebug integrates with Firefox to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
Features
>Inspect HTML and modify style and layout in real-time
>Use the most advanced JavaScript debugger available for any browser
>Accurately analyze network usage and performance
>Extend Firebug and add features to make Firebug even more powerful
>Get the information you need to get it done with Firebug
New features for Firebug users:
>Performance Panel – The Performance tool gives you insight into your site’s general responsiveness, JavaScript and layout performance.
>Memory Panel – The Memory tool lets you take a snapshot of the current tab’s memory heap.
>Web Audio Editor, Shader Editor and Canvas – Developer Tools for debugging media-rich content on the web.
>Storage Inspector – The Storage Inspector enables you to inspect various types of storage that a web page can use (cache, cookies, local & session storage, indexedDB).
>Responsive Design Mode– Responsive Design Mode makes it easy to see how your website or web app will look on different screen sizes.
>Animation Inspector – The Animation Inspector displays animations in the page synchronized along a timeline, with a draggable widget you can use to move to any point in the timeline and see the page at that point.
And more
5. Tamper Data
Tamper Data is an add-on for Firefox that lets you view and modify HTTP requests before they are sent.
It shows what information the web browser is sending on your behalf, such as cookies and hidden form fields. Use of this plugin can reveal web applications that trust the client not to misbehave.
Security and Privacy
All data in request headers and body is recorded.
Be aware of this when surfing to sites that request passwords etc.
e.g. it may not be a good idea to leave this extension running while performing online banking.
Compatibility
As this tool modifies values in the request other tools such as live http headers (which the complicated parts of this code are based on) may not work correctly at the same time as tamperdata.
6. NoScript
>NoScript (or NoScript Security Suite) is a free and open-source extension for Mozilla Firefox, SeaMonkey, and other Mozilla-based web browsers, created and actively maintained by Giorgio Maone,an Italian software developer and member of the Mozilla Security Group.
>NoScript allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins only if the site hosting is considered trusted by its user and has been previously added to a whitelist.
>NoScript also offers specific countermeasures against security exploits.
>NoScript is an add-on for Firefox that blocks JavaScript, Java, Flash, and other plugin content (allowing you to selectively re-enable them for certain sites).
>It also offers cross-site scripting protection. This is mainly designed to keep web users safe, but security testers can also use the add-on to see what scripts a site is using.
7. SQL Inject Me
SQL Inject Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.
The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
8. Web Developer
Web Developer is another nice add-on that adds various web development tools in the browser. It helps in web application penetration testing.
9. CryptoFox
CryptoFox is an encryption or decryption tool for Mozilla Firefox. It supports most of the available encryption algorithm. So, you can easily encrypt or decrypt data with supported encryption algorithm. This add-on comes with dictionary attack support, to crack MD5 cracking passwords. Although, it hasn’t have good reviews, it works satisfactorily.
CryptoFox supports the following:
- AES 128-bit Encrypt
- AES 128-bit Decrypt
- AES 192-bit Encrypt
- AES 192-bit Decrypt
- AES 256-bit Encrypt
- AES 256-bit Decrypt
- ASCII to Binary
- ASCII to Hexadecimal
- Base 64 Encode
- Base 64 Decode
- Binary to ASCII
- Binary to Decimal
- Binary to Hexadecimal
- Binary to Octal
- Ceaser Encrypt
- Ceaser Decrypt
- Decimal to Binary
- Decimal to Hexadecimal
- Decimal to Octal
- DES Encrypt
- Generate CRC32 Checksum
- Hexadecimal to ASCII
- Hexadecimal to Binary
- Hexadecimal to Decimal
- Hexadecimal to Octal
- HTML Entities Encode
- MD5 Dictionary attack
- MD5 Encrypt
- Morse Code Encrypt
- Morse Code Decrypt
- Octal to Binary
- Octal to Decimal
- Octal to Hexadecimal
- Reverse
- ROT-13
- SHA1 Encrypt
- SHA256 Encrypt
- URL Encode
- URL Decode
- XOR Encrypt
10. FoxyProxy Standard
FoxyProxy is an advanced proxy management add-on for Firefox browser. It improves the built-in proxy capabilities of Firefox. There are few other similar kind of proxy management add-ons available, but it offers more features that other add-ons. Based on the URL patterns, it switches internet connection across one or more proxy servers. When proxy is in use, it also displays an animated icon. In case you want to see the proxies used by the tool, you can see the logs.
>Switch proxies with URL pattern matching
>Custom colors make it easy to see which proxy is in use
>Advanced logging shows you which proxies were used and when
>Automatically synchronize all of your proxy settings with your other Firefox instances when you use Firefox Sync. Import/Export settings to files when not using Firefox Sync
No comments:
Post a Comment