Firefox Plugins for Security Professionals - Top Ten for Twenty-Ten

Better late than never, is the saying I am searching for I believe. I have been slacking on this list for the last couple months, and now that it is nearly March I have decided I had better get off my dead (but very shapely) behind and get 'er done! So without further ado, the ever popular and still far better than any of Letterman's top ten lists - Top Ten for Twenty-Ten! *insert applause here*

10. iMacros
This plugin has absolutely nothing to do with security, however, it is all about automation these days - you can write handy macros to probe every page you go to for happy little bugs that you can later play with (responsibly, of course)

9. Tamper Data
Still among my favorite plugins. This is like having a version of WebScarab or BuRP right in your browser! Every request goes through this plugin and you can modify or alter each one on it's way to the server. Handy for bypassing those pesky client-side validations without having to disable JavaScript on the page.

8. Wappalyzer
Remote web app fingerprinting plugin that does a good job picking out what technologies web applications are using by analyzing the code for particular fingerprinting signatures. I haven't been using this for a terribly long time, but so far it beats the hell out of trying to manually determine the technology stack that an app is using.

Very handy for inspecting what is *really* going on it AJAX applications. This prints out JSON responses in a very readable way. Pretty self-explanatory plugin.

6. Javascript Deobfuscator
Curious about what GWT is really doing in your JavaScript Engine? What to see how the Javascript Engine interprets a specific jQuery function? Needs to be able to monitor what obfuscated JS code is doing? Then this is the plugin for you. It slows down the JS engine *alot* - but it is far better than any other deobfuscator I have tired because it deals directly with the Javascript Engine!

5. Poster
Very handy little tool for playing around with RESTful web services. Far more intuitive than using Curl or writing custom clients to muck around with webservices.

4. Advanced Dork
Plugin to aid with the well-understood and vastly practiced art of Google Dorking. Do I really need to go into how useful this can be?

3. CryptoFox
Replacing both FireEncryptor and Leetkey this year is the *awesome* CryptoFox plugin which encrypts, decrypts, and even has a built in dictionary attack for MD5 passwords. Really, this is one of the coolest plugins I have seen to date for crypto related activities in the browser.

AES-256 (cryptofox)

2. FireQuery
Normally this would be listed in the same place as Firebug, however - this add-on add-on really, truly deserves it's own spotlight. With the popularity of jQuery on the web for doing, well, basically *everything* you can possibly do client-side - this greatly simplifies the art of discovering just where the developers did it wrong and find that DOM-XSS bug in their jQuery code! If you are testing rich-ui applications, this is a must-have.

1. The Firebug Family
Firebug is one of those truly interesting add-ons for Firefox that really became a platform unto itself. At some point, a bunch of developers decided that writing add-ons for the firebug add-on was more fruitful than writing add-ons for the host container, firefox. If you really need to know more about this plugin - just go click the link and read for yourself. This plugin is an absolute must-have for anyone who has ever come within 100 miles of security or development in their life. If you great uncle's wife's sister's dog's former owner happened to be a security guy, you had better have this plugin installed - or else the interwebz police are gonna come revoke all your internets and you won't be allowed to read my blog anymore.

So that's it for this years (last years) top ten - I hope to see this continue to be my most popular annual post, since I enjoy doing it so much and it brings lots of people to the blog to read my other really cool blog posts :)


jQuery-Encoder updated

I have made several updates to the jqencoder plugin over the weekend and thought I would share a little about them quickly.

Plugin Readme: http://bit.ly/ie4J04

First, and most importantly - I have added a series of static methods (that look similar to the methods on the Encoder interface for ESAPI) to perform particular contextual encoding tasks - specifically when building html dynamically rather than building elements up using the DOM.

  • encodeForHTML
  • encodeForHTMLAttribute
  • encodeForCSS
  • encodeForURL
  • encodeForJavascript

Each of these methods can be accessed under the static $.encoder context.

$.post('http://untrusted.com/external_profile', function(profile) {
      $('#widget').html('<div id="untrusted_widget" width="' + 
                        $.encoder.encodeForHTMLAttribute(profile.width) + 
                        '" onmouseover="' + profile.callback + "(\'' +
                        $.encoder.encodeForJavascript(profile.parm) + 
                        '\')">' + $.encoder.encodeForHTML(profile.data) + 

In addition, the $.canonicalize method has also been moved into the $.encoder context.

$('#phonenumber').blur(function() {

The third, and final big change over the weekend - was solidifying the ES5 immutable objects protection. If it is supported by the browser, the $.encoder object will be frozen, sealed, or non-extensible (in that order of priority) to protect the encoding and canonicalize functions themselves from being tampered with at runtime. At this point in time, Chrome has implemented Object.freeze in the latest release version, Mozilla has implemented it in Firefox 4 and Microsoft have implemented it in IE9. Safari shows no indication of implementing it, and neither does Opera.

Now, I pose a question to the developers that may use this plugin. Is there a need to keep the instance method $.fn.encode? It seems to me that due to the nature of setting DOM element properties via Javascript, that this is not really needed at all. So, should I nuke it?

I end this post with a final thought (continuing from my above conversation of Object.freeze)

I strongly recommend that developers start taking the initiative to make their custom JS objects immutable, and also recommend making framework objects immutable as well. If you were to (using jQuery) issue the following in your onready handler

   if ( Object.freeze ) $ = Object.freeze($);
   // .. initialize page below here

It seems to me, this could eliminate a lot of potential vulnerability exploitation of bugs in framework code. What are your thoughts?

Also, why not consider the following:

var lock_objs = [ String.prototype, 
                     Object.prototype ];
   for (var i=0;i<lock_objs.length;i++) lock_objs[i] = Object.freeze(lock_objs[i]);


Call for Papers - AppSec @ UberConf 2011

Call for papers: Application Security Track at Uber Conf 2011 - July 12-15

OWASP is currently soliciting papers for the Application Security Track at
Uber Conf, Denver, CO.

OWASP is partnering with Uber Conf to have an Application Security
track at this prestigious conference. Brought to you by the No Fluff
Just Stuff Software Symposium Series, Über Conf will explore the ever
evolving ecosystem of Java the Platform.

The Ü will offer over 120 technically focused sessions including hands
on workshops centered around Architecture, Cloud, Security, Enterprise
Java, Languages on the JVM, Build/Test, Mobility and Agility. The goal
of Über Conf is a simple one: totally blow the minds of our attendees.

We are seeking people and organizations that want to present about how
security relates to the following Java topics (in no particular

  * Architecture
  * Enterprise Java
  * Java Internals
  * Security - Enterprise & JVM
  * Cloud Computing
  * Languages on the JVM - Groovy, JRuby, Scala & Clojure
  * Java Web Frameworks - Wicket, Tapestry & SpringMVC
  * Build Systems - Maven & Gradle
  * Testing
  * Agility
  * Tools

How to make a submission:
  * Fill the form available at http://www.owasp.org/images/4/42/UberConf.AppSec.CFP.rtf.zip
  * Submit the filled form at https://www.easychair.org/conferences/?conf=appsecatuberconf2011

Submission deadline is Feb 28th at 12PM EST (GMT-5)

Submit Proposals to:

Conference Website:

OWASP Website:

Please forward to all interested practitioners and colleagues.


Dear OWASP Summit, Obrigado

It has been a couple days since I returned from my trip to Portugal for the OWASP 2011 Summit in Lisbon; and I can almost speak again. Last week was truly one of the most incredibly productive weeks I think I have ever witnessed. Of course, when you throw almost 200 security professionals from around the globe in a small space for several days with a seemingly limitless supply of (horrible) beer and wine - would you expect any less?

Day 1
After arriving at DIA at around 8am for my 10am flight to Newark I tinker on some ideas while sitting in the airport lounge. Finally it is time to board the plane and I arrive in Newark. As soon as I make it out to where the restaurants are at Newark I run into Tom Brennan and we immediately head up to the Presidential Club for some free Bloody Mary's, some Superbowl, and some geek talk about plans for the week. We sat in the bar for about 3 hours, saw about 15 minutes of the Superbowl and ran into another big group of OWASPers at the gate from Newark to Lisbon. After what seems like an eternity, I arrive in Lisbon at 8am GMT. Customs was almost non-existent in Lisbon. Arriving at the passport counter, the lady simply scanned my passport and handed it back to me without so much as a glance at me or my picture. After the passport counter we had to go through customs - nothing to declare? Ok, just follow the green line, all the way out without ever speaking to another person until we were outside getting on the bus. A handful of people are already at the Campo Real Resort when we arrive and we are quickly assimilated into various smaller sects of security pros running around in shorts and flipflops or 3-piece suits. Broke fast with a big group and then headed up to the Library Bar where the wireless was decent to sit on the patio and prepare for the week ahead.

Day 2
Up and at it early for the first actual day of the summit. Spent the morning working on the finishing touches for the working sessions that I was leading on ESAPI and a global security disclosure policy for OWASP then started shooting off e-mails to connect with some people that I don't have the opportunity to see very often and spent a good deal of the morning talking about how different security needs are around the world compared to what I am used to here in the US of A. Around lunchtime, I was invited to participate in the Global Project Committee in planning out the new platform with OWASP Projects. I spent the rest of the day sequestered in a hidden cove with Jason Li and Brad Causey plotting for the Projects working session. After the day was called and dinner was served I spent the evening regaling the crowds with stories and jokes while the first part of the Governance session raged on across the street.

Day 3
Not quite as early as yesterday, but still early enough. Headed to the main hotel to meet up with Jason and Brad to continue our work on the Projects refactor. Things are getting done at an unreal pace. Yesterday there was just a brief sketch and some ideas bouncing around - by the time we finish today, we have a full-fledged plan of attack and something reminiscent of a roadmap. We even have little icons and some fancy process diagrams to show off at our session later today! First actual session I manage to make it to is with Micheal Coates on AppSensor. I am a huge fan of AppSensor, and Mike is a pretty genuinely cool guy to hang out with (after a few drinks XD) so I go to lend my support and help hash out some ideas for the project. Next on the agenda is our projects working session. Some heated debate sparks up regarding the website, and how this ties into it, and what should happen first; but somehow, we manage to make it through the entire plan - show off all our diagrams and process stuff, and smooth out some of the rough edges with the crowd. After this, I sneak away to go mingle with some of the AppSec Elite, like John Stevens from Cigital and a few others that have super secret identities. The evening wraps up with snacks, beer, and wine in the hotel followed by dinner and OWASP Band Practice.

Day 4
Moving a little slower than yesterday, but I am at the hotel shortly before 10am for my first working session of the day. I have 4 scheduled that I was prepared for and get pulled into another one that somehow ended up leaderless. My first session of the day goes well - what do we need from Framework Developers as it applies to Output Encoding. We outline a set of 4 high-level requirements that are to be later formulated into an official request from OWASP to the framework developers (Spring, Struts, etc.) to make contextual output encoding part of their frameworks. Immediately following that session I get pulled onto a working session to go through the ESAPI validation code and talk about Jim Manico's ESAPI-Lite project. We do a thorough deep-dive into the ESAPI validators and basically run through a code review with a room full of smart people and the code up on a projector. Some great ideas and bugfixes will be coming out of that session! Finally it is time for lunch, but not before we all get coraled into the inner patio area of the hotel for a group picture and quick pow-wow with the summit organizers. I lunch on some particularly dry tiny sandwiches with Jeff, Dave, and a crazy hacker girl from the UK then head off to start preparing for my afternoon sessions. I also get pulled away to take care of some work related stuff (having a conference call, over a very flooded wifi network is a very interesting adventure) then head back for my second to last session of the day. The OWASP Security Vulnerability Disclosure Policy is born and noted on the patio over espresso and beer in the warm late afternoon sun and at long last the last working session for the day, where we were to be roadmapping the future of the ESAPI project get's cancelled because we are going to have an actual ESAPI summit sometime in early Spring. Now it's time to have a few drinks, so I head to the wine tasting in the control center and run into the guys from Hacker News Network, who have been trying to find me for days so we could do an interview. I grab my stuff and head up to the presidential suite in the hotel where I spend about 30 minutes chatting it up with the guys and then another 15-20 doing the actual interview. Now it's time to head out for dinner and the much anticipated OWASP band performance. We managed to practice and get down 4 songs the night before, so we knew we would be doing a lot of improv. We get the host house all set up for the concert and brazillian bbq that will happen in a couple hours while the final working sessions for the night wind down. As people start filtering in the house, a couple people are jamming away on the equipment that was provided by Dinis' brother (local) and we pick up one of his students to play Guitar, his brother to play guitar and bass, and Stephen from the Netherlands (OWASP CTF) to hop on bass as well. We start jamming out around 11pm and run through about 2 hours of music, including but not limited to an original song, that I made up on the spot called 'The SQL Injection Blues' which largely featured quotes and friendly jabs at Jim Manico (who quite unfortunately was actually in his room at the hotel, sick as a dog), along with some old favorites like La Bamba, Sweet Child of Mine, Enter Sandman (with John Wilander rocking out), Born to be wild, and a ton of others that I can't remember right now. By the end of the night, my voice was completely gone, but I was having a blast eating brazillian bbq as soon as it was coming off the grill and chatting it up with Mark and Doug outside the party house.

Day 5
Somehow, I managed to peel myself out of bed long enough to attend the closing ceremonies at the hotel around 10am and promptly headed back to the villa for another hour or so of sleep afterwards. My voice was still completely gone (good thing I did the interview before the show!) and I spend most of the day catching up with everyone and chatting about the conference, getting contact info for everyone and planning my last day in Lisbon. We have dinner down at the resteraunt that evening where I have a little bit of Ouzo and then we all head for the Library Bar to chat it up before finally heading for bed.

Day 6
Up bright and early for my big Turbo-tour of Lisbon. I managed to rally up about 9 people for the day so we split the cost of transportation and head into the city. A couple of the guys (and gal) from the group are staying that night in Lisbon so we all meet up at the hotel and head down into the City Centre of Lisbon. It is a long arduous journey through the City Maze in Old Town as we wind our way up the mountain to see the Castle of St. Jeorge (stopping many times along the way to look at stuff, or peruse shops, or just take some pictures) and finally after a couple hours we are up at the castle. It is huge, and we spend about an hour walking around the walls and towers, admiring the view of the city and the river from the highest points of the castle before finally getting in to see what most of us went to the castle to see. The Camera Obscura was invented by Leonardo Da Vinci and it is basically a really old school periscope projector that projects a view of the entire city of Lisbon onto a kind of upside-down planetarium screen. We get a history lesson as the keeper of the camera swoops the camera around showing us different parts of the city and relating tales about those parts and things that have happened there. It was awesome, and well worth the climb and the wait. After we are done at the castle, we decide to head back down the hill and find a place that was recommended to us for lunch. We find it after a bit of walking and have some awesome portugeuse food and arguably the best Sangria that I have ever tasted. After that the group splits up, some going to the Tower of Betel to take pictures, and the rest of us down the hill for shopping and sunset. We head down the hill, miss the sunset over the ocean - but that's okay because we find an amazing street artist set up on the side of the road and I ended up buying a painting to bring home and remind me of my trip. After that we head further down the hill and find an awesome little cafe that has some of the custard cups that Lisbon is famous for so we sit down for an Espresso and some pastries and chat a bit about the day so far and what else we want to do. After we are done there we have a little over an hour until we are supposed to meet back up with the rest of the group for dinner - so we head down into the main drag of Lisbon. The huge pedestrian street that is lined with touristy shops and sights and walk down the strip, stopping to buy a few trinkets for the family on our way back to the hotel. Once we meet up with everyone at the hotel, we sit in the bar for a few to have a glass of port and figure out where we want to go for dinner. We end up heading to a little resteraunt not too far away called Sancho, which is supposed to be one of the best places in Lisbon to go for seafood. The food was awesome, the wine was good, and the conversation was unbeatable. Finally after about 2 1/2 hours for dinner we head back to the hotel for a nightcap before most of us head back to the resort and turn in for the night.

Day 7
Literally, 22 1/2 hours of travel, I reached my home - promptly laid down my luggage, shared trinkets with the family and finally passed out in my own bed; millions of ideas and thoughts from the summit still running through my head.

I have said it a zillion times over the last week, but I will say it again - the experience was truly unbeatable. The opportunity to work with so many brilliant people from our community and really get things done was amazing. Learning about the security needs and political struggles from the stories of the attendees was incredible. Seeing Europe for the first time was beautiful. I can't wait for the next summit. I have already put in my vote for either South America or Prague. :)

Client-Side Contextual Encoding for jQuery

As everyone is probably aware by now, jQuery; the awesome brainchild of John Resig - is everywhere! This opened an opportunity for me in my crusade against DOM Based XSS by creating a plugin to allow developers to contextually encode untrusted data on the client side (more and more important with widgets and ajax all over the place).

So what is this new hotness, this awesome plugin? It's called jquery-encoder (yeah, I was feeling very creative when I came up with that name) and it is super-simple to use!

Here is a quick snippet of the power of jquery with jquery-encoder
$.post('http://untrusted.com/webservice', function(data) {
   $('#result').encode('html', data);

Under the hood, this runs the untrusted data that is being returned from the untrusted.com webservice through an HTML entity encoding algorythm before setting it using the jQuery .html() function.

You can also encode for HTML Attributes or CSS.
$.post('http://untrusted.com/user-theme-color', function(data) {
   $('body').encode('css', 'background-color', data);

$.post('http://untrusted.com/unique-id-generator', function() {
   $('#result').encode('attr', 'id', data);

As soon as this matures and get's some testing, a full blown technical description and user's guide will be available - but for now, what I am really looking for is people to try it out! I don't recommend dropping this into your production code just yet, this is just a first attempt at getting this right.

The other big thing that I did was bring the awesome ESAPI canonicalization functionality to the jQuery world. This is *huge* for client side validations and for detecting bad data (multiple/mixed encodings)

The canonicalize function is a static method on the jQuery object and can be used as illustrated below.
$.canonicalize('&lt;script&gt;'); // <script>
$.canonicalize('%3cscript%3d'); // <script>
$.canonicalize('%253cscript%253d') // Raises exception (double)
$.canonicalize('&#x26;lt&#59') // Raises exception (multi-double)

IMHO, this is one of the most powerful utility functions available in the entire ESAPI and I am super-stoked that I was able to port it to javascript for jQuery. However, it needs to be poked at, prodded, and broken before it is rock solid. I currently have a suite of about 70 test cases that I am throwing against it, but I am sure there are at least double that. It will decode escaping for HTML, CSS, and Javascript escaping rules.

  • jQuery ( >=1.4.3 )
  • Class.extend function (prototype or John Resigs)

Source: https://github.com/chrisisbeef/jquery-encoder/blob/master/src/main/javascript/org/owasp/esapi/jquery/encoder.js 

Minified: https://github.com/chrisisbeef/jquery-encoder/blob/master/jquery-encoder-0.1.0.js

Final Thoughts

Please, share in comments if you have any questions or comments - feel free to communicate with me through Github as well.

Now, go forth and break it!