Better late than never, is the saying I am searching for I believe. I have been slacking on this list for the last couple months, and now that it is nearly March I have decided I had better get off my dead (but very shapely) behind and get 'er done! So without further ado, the ever popular and still far better than any of Letterman's top ten lists - Top Ten for Twenty-Ten! *insert applause here*
10. iMacros
This plugin has absolutely nothing to do with security, however, it is all about automation these days - you can write handy macros to probe every page you go to for happy little bugs that you can later play with (responsibly, of course)
9. Tamper Data
Still among my favorite plugins. This is like having a version of WebScarab or BuRP right in your browser! Every request goes through this plugin and you can modify or alter each one on it's way to the server. Handy for bypassing those pesky client-side validations without having to disable JavaScript on the page.
8. Wappalyzer
Remote web app fingerprinting plugin that does a good job picking out what technologies web applications are using by analyzing the code for particular fingerprinting signatures. I haven't been using this for a terribly long time, but so far it beats the hell out of trying to manually determine the technology stack that an app is using.
7.JSONView
Very handy for inspecting what is *really* going on it AJAX applications. This prints out JSON responses in a very readable way. Pretty self-explanatory plugin.
6. Javascript Deobfuscator
Curious about what GWT is really doing in your JavaScript Engine? What to see how the Javascript Engine interprets a specific jQuery function? Needs to be able to monitor what obfuscated JS code is doing? Then this is the plugin for you. It slows down the JS engine *alot* - but it is far better than any other deobfuscator I have tired because it deals directly with the Javascript Engine!
5. Poster
Very handy little tool for playing around with RESTful web services. Far more intuitive than using Curl or writing custom clients to muck around with webservices.
4. Advanced Dork
Plugin to aid with the well-understood and vastly practiced art of Google Dorking. Do I really need to go into how useful this can be?
3. CryptoFox
Replacing both FireEncryptor and Leetkey this year is the *awesome* CryptoFox plugin which encrypts, decrypts, and even has a built in dictionary attack for MD5 passwords. Really, this is one of the coolest plugins I have seen to date for crypto related activities in the browser.
AES-256 (cryptofox)
uD5sTYKCgoI/cZ8YCOik9gnCWMS/qOR8grD4Kpez41WHIq5YPek+R/yiOKEKf/Q5Zu3SIXFlfD2QUaoxClzSFPTQue8qLogV7XEZypIQ9UzhX3n6zyXljGw=
2. FireQuery
Normally this would be listed in the same place as Firebug, however - this add-on add-on really, truly deserves it's own spotlight. With the popularity of jQuery on the web for doing, well, basically *everything* you can possibly do client-side - this greatly simplifies the art of discovering just where the developers did it wrong and find that DOM-XSS bug in their jQuery code! If you are testing rich-ui applications, this is a must-have.
1. The Firebug Family
Firebug is one of those truly interesting add-ons for Firefox that really became a platform unto itself. At some point, a bunch of developers decided that writing add-ons for the firebug add-on was more fruitful than writing add-ons for the host container, firefox. If you really need to know more about this plugin - just go click the link and read for yourself. This plugin is an absolute must-have for anyone who has ever come within 100 miles of security or development in their life. If you great uncle's wife's sister's dog's former owner happened to be a security guy, you had better have this plugin installed - or else the interwebz police are gonna come revoke all your internets and you won't be allowed to read my blog anymore.
So that's it for this years (last years) top ten - I hope to see this continue to be my most popular annual post, since I enjoy doing it so much and it brings lots of people to the blog to read my other really cool blog posts :)
Showing posts with label firefox. Show all posts
Showing posts with label firefox. Show all posts
1.13.2010
Firefox Plugins for Security Professionals - Best of 2009
Due to the overwhelming popularity of my first post back on my old blog called "Firefox Plugins for Security Professionals" ( apparantly it was even referenced in a book called 'Dissecting the hack: the f0rb1dd3n network' ) I have decided to put together a new list, highlighting the best security related plugins from 2009.
10. Fire Encryptor
The only reason this one isn't higher on the list is because it hasn't been updated to work with Firefox 3.5. However, it allows you to do quick realtime encryption, decryption, and hashing in your browser. Among the really useful scenarios where this comes in handy is when you are accessing a sensitive application on the web. You can enter a password that you will remember into the plugin, hash it, and use the hashed version of the password to login to the site.
9. Leet Key
Similar to Fire Encryptor, only this allows you to do realtime conversion to ROT13, BASE64, HEX, and URL encoded strings. Invaluable when working with injection attacks and trying to bypass filters in an application. For fun it also will convert any text into l33tspeak, morse code, binary, all upper, all lower, and BIN - as well as do simple DES encryption.
8. Tamper Data
Extremely useful plugin that allows you to tamper with a request just before it is sent to the server. Allows such useful things as changing headers (for request splitting fun), modifying POSTed parameters, adding parameters to a POST, adding/removing headers and other such goodness. You can guarantee that the bad guys are using this plugin, so you better be too!
7. ShowIP
Handy little plugin that displays the IP address of the server that you are actually on in the lower right hand corner of the browser status bar. Allows quick one-click access to whois data as well as the ability to copy the ip address to the clipboard for a quick paste into your favorite port-scanner.
6. Passive Recon
This is probably one of the most complete information gathering plugins that has ever been for a browser. A right click context menu allows you to find a wealth of useful and useless information about a target server. You can discover public services available on a server, all servers in the domain, what architecture the server is using, what commonly used ports are open, and a good deal more.
5. Hackbar
A CLI type interface for messing with URLs. This toolbar is mainly aimed at discovering SQL Injection flaws, but also has several built-in macros for XSS, Encryption, and Encoding flaws as well. Any serious analyst or security-focused developer should definately have this little gem in their toolbox.
4. Torbutton/FoxyProxy
Oldie but goodie! While the TOR network is by no means perfect for anonymizing internet traffic it is light years ahead of most every other easily accessible anonymyzer. TOR is one step down from a pwn'd proxy chain (although it is a very big step down) and although it is generally slower than molassis, if you are stealth scanning an application, it is extremely powerful and easy to use.
3. UrlParams
A quick easy access sidebar plugin that gives you complete access to all the POST and GET parameters on a request. Probably the most useful feature is the ability to replay a modified request to a new tab. It also gives you quick access to the referer header for black-hat SEO spamming if your into that kind of thing.
2. Web Developer
This plugin is an absolute MUST-HAVE for anyone using firefox to break applications. It puts a wealth of information about the current page at your fingertips. If you haven't seen this plugin you have probably been living under a rock for the last 5 years.
1. Firebug/Firecookie
Still at the #1 spot for the third year running is the Firebug plugin. Teamed up with Firecookie there is virtually nothing you can't do to a running webpage. Debug the javascript served from the server to find exploitable bugs, grep all the in memory javascript for evals, examine ajax requests and responses, monitor load times for time-based attacks, and on and on and on. Like the web developer plugin, if you have heard of at least firebug, chances are you have been living under a rock for the last few years!
That does it for my 2009 list. And they are all available as a collection from my shared collections on the Mozilla Add-Ons site:
Best of 2009 - Security Plugins
What are your favorite plugins?
10. Fire Encryptor
The only reason this one isn't higher on the list is because it hasn't been updated to work with Firefox 3.5. However, it allows you to do quick realtime encryption, decryption, and hashing in your browser. Among the really useful scenarios where this comes in handy is when you are accessing a sensitive application on the web. You can enter a password that you will remember into the plugin, hash it, and use the hashed version of the password to login to the site.
9. Leet Key
Similar to Fire Encryptor, only this allows you to do realtime conversion to ROT13, BASE64, HEX, and URL encoded strings. Invaluable when working with injection attacks and trying to bypass filters in an application. For fun it also will convert any text into l33tspeak, morse code, binary, all upper, all lower, and BIN - as well as do simple DES encryption.
8. Tamper Data
Extremely useful plugin that allows you to tamper with a request just before it is sent to the server. Allows such useful things as changing headers (for request splitting fun), modifying POSTed parameters, adding parameters to a POST, adding/removing headers and other such goodness. You can guarantee that the bad guys are using this plugin, so you better be too!
7. ShowIP
Handy little plugin that displays the IP address of the server that you are actually on in the lower right hand corner of the browser status bar. Allows quick one-click access to whois data as well as the ability to copy the ip address to the clipboard for a quick paste into your favorite port-scanner.
6. Passive Recon
This is probably one of the most complete information gathering plugins that has ever been for a browser. A right click context menu allows you to find a wealth of useful and useless information about a target server. You can discover public services available on a server, all servers in the domain, what architecture the server is using, what commonly used ports are open, and a good deal more.
5. Hackbar
A CLI type interface for messing with URLs. This toolbar is mainly aimed at discovering SQL Injection flaws, but also has several built-in macros for XSS, Encryption, and Encoding flaws as well. Any serious analyst or security-focused developer should definately have this little gem in their toolbox.
4. Torbutton/FoxyProxy
Oldie but goodie! While the TOR network is by no means perfect for anonymizing internet traffic it is light years ahead of most every other easily accessible anonymyzer. TOR is one step down from a pwn'd proxy chain (although it is a very big step down) and although it is generally slower than molassis, if you are stealth scanning an application, it is extremely powerful and easy to use.
3. UrlParams
A quick easy access sidebar plugin that gives you complete access to all the POST and GET parameters on a request. Probably the most useful feature is the ability to replay a modified request to a new tab. It also gives you quick access to the referer header for black-hat SEO spamming if your into that kind of thing.
2. Web Developer
This plugin is an absolute MUST-HAVE for anyone using firefox to break applications. It puts a wealth of information about the current page at your fingertips. If you haven't seen this plugin you have probably been living under a rock for the last 5 years.
1. Firebug/Firecookie
Still at the #1 spot for the third year running is the Firebug plugin. Teamed up with Firecookie there is virtually nothing you can't do to a running webpage. Debug the javascript served from the server to find exploitable bugs, grep all the in memory javascript for evals, examine ajax requests and responses, monitor load times for time-based attacks, and on and on and on. Like the web developer plugin, if you have heard of at least firebug, chances are you have been living under a rock for the last few years!
That does it for my 2009 list. And they are all available as a collection from my shared collections on the Mozilla Add-Ons site:
Best of 2009 - Security Plugins
What are your favorite plugins?
Subscribe to:
Posts (Atom)