Saturday 7 January 2012

Useful Firefox Add-ons regarding Pentesting

There are really a lot of different and useful Add-ons for Firefox that can be used when executing a Pentest. 

A good starting point is the project FireCAT (Firefox Catalog of Auditing exTensions). FireCAT is providing a Mindmap that is categorizing security and audit Add-ons regarding Firefox. You can download this catalogue in HTML or the actual Mindmap. The result of the FireCAT project is also the basis for  Mantra. Mantra is a special Firefox version that has been adapted for students, penetration testers, web application developers, security professionals etc. and contains almost all Add-ons of the FireCAT Mindmap.

As there is already a catalogue of Add-ons maintained by FireCAT I don't want to start my own list here. I just want to point out some Add-ons that are quite useful for me. I'm not using Add-ons for XSS or SQL Injection scanning or tampering HTTP data (especially because Add-ons like XSS Me or SQL Inject Me never worked for me). There are better tools like burp that can do this kind of things. All of these Add-ons are still working with Firefox 9.0.1 and make my life easier when testing a web application:

HackBar
This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, a lot of Google and a brain.

Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

Web Developer
The Web Developer extension adds various web developer tools to a browser.

Session Manager saves and restores the state of all or some windows - either when you want it or automatically at startup, after crashes or periodically. It can also automatically save the state of open windows individually.

Persistent and private sticky notes for Firefox. This can be very useful as a reminder or just to take a note to a certain area of a website or input field.

Capture the whole page or any portion, annotate it with rectangles, circles, arrows, lines and text, blur sensitive info, one-click upload to share. During a pentest it's very important to document everything (like error messages for example)

WorldIP
A great Add-on for a first scan in the information gathering phase of a pentest to collect some information about an IP or domain.

FoxyProxy
FoxyProxy is a great tool to switch very convenient between different proxies and is replacing the proxy function provided by Firefox.

2 comments:

  1. I use firefox all the time but never think to use these apps. Although the firebug is such a big help for me when trying to figure out what's wrong with my pages.
    website design

    ReplyDelete
  2. For developing web apps the Dev-Tools in Google Chrome are also very helpful.

    ReplyDelete