Firefox Plugins for Security Professionals - Top Ten for Twenty-Ten

Better late than never, is the saying I am searching for I believe. I have been slacking on this list for the last couple months, and now that it is nearly March I have decided I had better get off my dead (but very shapely) behind and get 'er done! So without further ado, the ever popular and still far better than any of Letterman's top ten lists - Top Ten for Twenty-Ten! *insert applause here*

10. iMacros
This plugin has absolutely nothing to do with security, however, it is all about automation these days - you can write handy macros to probe every page you go to for happy little bugs that you can later play with (responsibly, of course)

9. Tamper Data
Still among my favorite plugins. This is like having a version of WebScarab or BuRP right in your browser! Every request goes through this plugin and you can modify or alter each one on it's way to the server. Handy for bypassing those pesky client-side validations without having to disable JavaScript on the page.

8. Wappalyzer
Remote web app fingerprinting plugin that does a good job picking out what technologies web applications are using by analyzing the code for particular fingerprinting signatures. I haven't been using this for a terribly long time, but so far it beats the hell out of trying to manually determine the technology stack that an app is using.

7.JSONView
Very handy for inspecting what is *really* going on it AJAX applications. This prints out JSON responses in a very readable way. Pretty self-explanatory plugin.

6. Javascript Deobfuscator
Curious about what GWT is really doing in your JavaScript Engine? What to see how the Javascript Engine interprets a specific jQuery function? Needs to be able to monitor what obfuscated JS code is doing? Then this is the plugin for you. It slows down the JS engine *alot* - but it is far better than any other deobfuscator I have tired because it deals directly with the Javascript Engine!

5. Poster
Very handy little tool for playing around with RESTful web services. Far more intuitive than using Curl or writing custom clients to muck around with webservices.

4. Advanced Dork
Plugin to aid with the well-understood and vastly practiced art of Google Dorking. Do I really need to go into how useful this can be?

3. CryptoFox
Replacing both FireEncryptor and Leetkey this year is the *awesome* CryptoFox plugin which encrypts, decrypts, and even has a built in dictionary attack for MD5 passwords. Really, this is one of the coolest plugins I have seen to date for crypto related activities in the browser.

AES-256 (cryptofox)
uD5sTYKCgoI/cZ8YCOik9gnCWMS/qOR8grD4Kpez41WHIq5YPek+R/yiOKEKf/Q5Zu3SIXFlfD2QUaoxClzSFPTQue8qLogV7XEZypIQ9UzhX3n6zyXljGw=

2. FireQuery
Normally this would be listed in the same place as Firebug, however - this add-on add-on really, truly deserves it's own spotlight. With the popularity of jQuery on the web for doing, well, basically *everything* you can possibly do client-side - this greatly simplifies the art of discovering just where the developers did it wrong and find that DOM-XSS bug in their jQuery code! If you are testing rich-ui applications, this is a must-have.

1. The Firebug Family
Firebug is one of those truly interesting add-ons for Firefox that really became a platform unto itself. At some point, a bunch of developers decided that writing add-ons for the firebug add-on was more fruitful than writing add-ons for the host container, firefox. If you really need to know more about this plugin - just go click the link and read for yourself. This plugin is an absolute must-have for anyone who has ever come within 100 miles of security or development in their life. If you great uncle's wife's sister's dog's former owner happened to be a security guy, you had better have this plugin installed - or else the interwebz police are gonna come revoke all your internets and you won't be allowed to read my blog anymore.

So that's it for this years (last years) top ten - I hope to see this continue to be my most popular annual post, since I enjoy doing it so much and it brings lots of people to the blog to read my other really cool blog posts :)