2.28.2011

Firefox Plugins for Security Professionals - Top Ten for Twenty-Ten

Better late than never, is the saying I am searching for I believe. I have been slacking on this list for the last couple months, and now that it is nearly March I have decided I had better get off my dead (but very shapely) behind and get 'er done! So without further ado, the ever popular and still far better than any of Letterman's top ten lists - Top Ten for Twenty-Ten! *insert applause here*

10. iMacros
This plugin has absolutely nothing to do with security, however, it is all about automation these days - you can write handy macros to probe every page you go to for happy little bugs that you can later play with (responsibly, of course)

9. Tamper Data
Still among my favorite plugins. This is like having a version of WebScarab or BuRP right in your browser! Every request goes through this plugin and you can modify or alter each one on it's way to the server. Handy for bypassing those pesky client-side validations without having to disable JavaScript on the page.

8. Wappalyzer
Remote web app fingerprinting plugin that does a good job picking out what technologies web applications are using by analyzing the code for particular fingerprinting signatures. I haven't been using this for a terribly long time, but so far it beats the hell out of trying to manually determine the technology stack that an app is using.

7.JSONView
Very handy for inspecting what is *really* going on it AJAX applications. This prints out JSON responses in a very readable way. Pretty self-explanatory plugin.

6. Javascript Deobfuscator
Curious about what GWT is really doing in your JavaScript Engine? What to see how the Javascript Engine interprets a specific jQuery function? Needs to be able to monitor what obfuscated JS code is doing? Then this is the plugin for you. It slows down the JS engine *alot* - but it is far better than any other deobfuscator I have tired because it deals directly with the Javascript Engine!

5. Poster
Very handy little tool for playing around with RESTful web services. Far more intuitive than using Curl or writing custom clients to muck around with webservices.

4. Advanced Dork
Plugin to aid with the well-understood and vastly practiced art of Google Dorking. Do I really need to go into how useful this can be?

3. CryptoFox
Replacing both FireEncryptor and Leetkey this year is the *awesome* CryptoFox plugin which encrypts, decrypts, and even has a built in dictionary attack for MD5 passwords. Really, this is one of the coolest plugins I have seen to date for crypto related activities in the browser.

AES-256 (cryptofox)
uD5sTYKCgoI/cZ8YCOik9gnCWMS/qOR8grD4Kpez41WHIq5YPek+R/yiOKEKf/Q5Zu3SIXFlfD2QUaoxClzSFPTQue8qLogV7XEZypIQ9UzhX3n6zyXljGw=

2. FireQuery
Normally this would be listed in the same place as Firebug, however - this add-on add-on really, truly deserves it's own spotlight. With the popularity of jQuery on the web for doing, well, basically *everything* you can possibly do client-side - this greatly simplifies the art of discovering just where the developers did it wrong and find that DOM-XSS bug in their jQuery code! If you are testing rich-ui applications, this is a must-have.

1. The Firebug Family
Firebug is one of those truly interesting add-ons for Firefox that really became a platform unto itself. At some point, a bunch of developers decided that writing add-ons for the firebug add-on was more fruitful than writing add-ons for the host container, firefox. If you really need to know more about this plugin - just go click the link and read for yourself. This plugin is an absolute must-have for anyone who has ever come within 100 miles of security or development in their life. If you great uncle's wife's sister's dog's former owner happened to be a security guy, you had better have this plugin installed - or else the interwebz police are gonna come revoke all your internets and you won't be allowed to read my blog anymore.

So that's it for this years (last years) top ten - I hope to see this continue to be my most popular annual post, since I enjoy doing it so much and it brings lots of people to the blog to read my other really cool blog posts :)

7 comments:

  1. Multiple Firefox profiles are handy. I dislike having all my plugins in one place. I get by with a FireBug/Firecookie/Firerainbow (note: I might add Firequery, thanks for that!) profile for Ajax testing. I get by with a FlexBug profile for Flash/Flex testing.

    However, in my primary profile, I rely on 5 very important (to me) Firefox add-ons (although I'm willing to hear about an easier way to perform these activities as part of my workflow if you know of any):
    1) All-in-one Gestures. This add-on merely speeds up my ability to control my browser -- now I can use my mouse along with keyboard shortcuts!
    2) Fireforce. This valuable add-on allows me to quickly test HTML form authentication, albeit it only works when little to no authentication and password controls are in place
    3) MM3-ProxySwitch is a great add-on for me, as it's one simple button to send my browser requests/responses through Burp Pro. Other similar add-ons could be substituted
    4) Multi Links. This add-on is great for walking content, allowing me to select all links and open them up as tabs that perform requests through Burp Pro. Then I can go through those newly opened tabs and Multi Links their content, until I've completely exhausted the web application's content
    5) Web Developer. This is just handy. I like to combine the "Forms ... Populate Form Fields" with Multi Links when walking the content, especially in the presence of multiple forms on many pages (or better -- many fields in a single HTML form!). It's handy enough to include it for just this one feature, but it does have many other features that I use on occasion

    I don't rely on browsers to do all of my appsec testing. I prefer Firefox as a "Burp Pro HTTP/TLS request feeder" when I get down and dirty, or Chrome (the "inspect element" right click feature that is a built-in is awesome!!!) for casual use. Burp Repeater and Fiddler Resend Request features are way better for manual appsec testing, especially if I've gone over all of the app's workflow and given detail to all of its context (including Ajax and SWF, which usually will GET or POST their data using HTTP once the workflow/context is worked out using a proxied browser).

    Burp Repeater has the most benefit for me, since I can detach it alongside Burp Comparer. Burp Repeater has the power to send codes that the browser won't allow. It has a lot of the encoding/encryption stuff built-in as well (or through the Burp Decoder tool, which has a smart-decode feature). I don't have to worry about missing an insertion point only available during a redirect in Burp Repeater (the browser hides these).

    I also dislike all web spiders and crawlers. These tools are useless except to understand the parity necessary to achieve a complete walk of the app. Spiders/crawlers tend to miss a lot of link extractions, and they tend to miss even more context. They also aggravate the target organization I'm testing if there is a live feedback form or forum posting option (let alone when they drop tables from databases, or otherwise delete or change important data). When I'm testing and I identify something that needs to be temporarily turned off during my appsec testing, such as a feedback form -- I can simply contact the target organization and ask them to turn it off or expect hundreds or thousands of emails. I could go on about issues here, but I think you get the point. When I use spiders/crawlers, I almost always stick with WhatWeb, Skipfish, and Netsparker Community Edition, although I wouldn't mind having Netsparker Pro, WebInspect, Acunetix, or NTOSpider (although I dislike their attack modes, but interestingly love their reports).

    ReplyDelete
  2. dre - This is good stuff! I have been thinking about expanding this list out a bit into a review of Tools and also a consumer version of the list - Top Ten for Web Users or something like that. Burp is awesome, although I admit - I have been using WebScarab a great deal more than anything else lately. As far as how I use my plugins, it really depends greatly on the situation. Perhaps I'll write up a post on how I am using them all together. One last bit, on Web Developer - I really assume that anyone involved in either development or security already has this installed and almost didn't post Firebug up for the same reason. The main reason that Firebug made the list while Web Developer didn't is because Firebug really has become more of a platform for other add ons rather than just being an add on itself. Web Developer is stable, very mature, and a must for anyone in the field, however it has changed *very little* over the last couple years. Oh and as for web crawlers, I agree wholeheartedly in most situations - I have used a few crawlers on things like search and scrape directory type apps but for the most part even these are highly customized and use something more akin to JMeter with custom rules

    ReplyDelete
  3. @ chris: You'll have to do a post on the JMeter thing. Sounds interesting.

    ReplyDelete
  4. Hello, This is a really good read for me. Must agree that you are one of the coolest bloggers I ever saw. Thanks for posting this informative article.

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Welcome to mmoggg website to buy RS Gold, offer a lot, of course, Diablo 3 Gold or Diablo 3 Gold Kaufen and Cheap RS Gold, to be purchased at any time, at any time shipment, and look forward to your visit!

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete