blog ntic de revolunet » anonymity http://blog.revolunet.com Blog des Nouvelles Technologies de l'Information et de la Communication Tue, 22 Jun 2010 07:59:32 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 Using Firefox for debugging and penetration testing http://blog.revolunet.com/index.php/security/using-firefox-for-debugging-and-penetration-testing http://blog.revolunet.com/index.php/security/using-firefox-for-debugging-and-penetration-testing#comments Wed, 23 Jan 2008 20:30:07 +0000 drax http://sweon.net/2008/01/using-firefox-for-debugging-and-penetration-testing We all know Firefox is a great browser but what really sets it apart are its numerous extensions (or plugins).

With the right extensions, firefox can become much more than a web browser. But this isn’t about turning your firefox into a blogging platform or a social bookmarking application. It’s about turning your firefox into one of the best tools for web development, debugging and penetration testing web applications.

The following picture is a mind-map of Firefox extensions that can prove very useful during the security audit of a web application. This picture was taken from the Security Database FireCAT 1.3 article.
firecat_13.png
Alot of these tools share common functionalities, and some are just plain better than other. It’s all a matter of taste, so I suggest you try them out yourself.

Nevertheless, here is my personal pick of the crop.

Must have

  • Firebug. Amazing javascript debugger and DOM inspector. Includes many other tools (profiler, network watch, …).
  • SwitchProxy. Switch between different proxy configurations in a couple clicks.
  • Add N Edit Cookies. Does exactly what it says on the tin.
  • Tamper Data. Lets you view and modify outgoing requests very easily. Includes a handy “replay” function.
  • Classic Compact. Not an extension. Just a theme, the default theme in fact, modified to be as compact as possible (because we all need that screen real estate).

Nice to have

  • Poster. Lets you forge any HTTP request very easily. Supports common methods (get, post, head, …) file uploading and authentication. It’s like a portable <form> in your pocket.
  • Hack Bar. Tool to aid when looking for SQL injections (includes SQL related functions and a few encoders/decoders). I mostly use it as an URL sandbox instead of the single-line address bar.
  • Web Developer. Not as ground-breaking as firebug but includes a few handy functions.
  • User Agent Switcher. Lets you switch user-agent globally. Includes pre-defined User-Agent strings.
  • RefControl.Set your Referer header globally or per domain.
  • NoScript. Allow or deny javascript globally, per domain, site, path, time, earth-moon distance, …
  • Exploit Me. Suite of tools for automating user input fuzzing (brute-forcing payloads). At time of writing, two extensions are available; “XSS Me” and “SQL Inject Me”.
  • ChickenFoot, GreaseMonkey. Scripting environments.

The above mindmap diagram is available in 3 formats:

References

]]> http://blog.revolunet.com/index.php/security/using-firefox-for-debugging-and-penetration-testing/feed 0