Firefox is a popular free, open source web browser used by millions. It supports various application security add-ons, making it a useful tool for performing application security testing. This can allow newcomers who can’t afford professional tools to get started with penetration testing in application security for free.

 

Firefox allows for the creation of profiles which can be tuned for the needs of the pen testers. The following is a set of steps to create a penetration testing profile. To perform testing activities, create a new profile and use that for all testing purposes while leaving the default profile for general web browsing.

 

Creating A New Profile In Firefox

1) Open Firefox. In the URL tab, enter about:profiles. The list of profiles are shown here:

 

 

 

1) Click “Create a New Profile.” Enter a name for the profile and click “finish.” Optionally, select the folder where settings and other data would be stored for the profile.

 

In the example below an application security profile (“Appsec”) profile is created:

 

 

 

Once the new profile is created, it can be launched in a new browser instance

 

Adding Appsec Add-ons to Firefox

 

In the URL bar enter “about:addons”. All add-ons can be managed from here.

 

 

 

To install an add-on use the search box to search for the plugin. This will open the “addons.mozilla.org” website, which provides a brief introduction to the plugin and allows its installation. To install, click on the “+Add to Firefox” button, which will ask for permission to install the plugin.

 

 

 

Click Add to add the add-on.

 

 

 

Note: These add-ons can be uploaded by anyone and are unverified, which may pose a security risk. Add-ons that are verified and vetted by Mozilla should be installed to prevent theft of personal data. Users should verify the security of the add-ons before installing.

 

For this guide, the following add-ons were installed:

 

 

Once all the add-ons are installed they will be shown in the status bar of the browser (which may need to be restarted for the add-ons take effect).

 

 

 

Add-ons in Action

1) Server Spy

 

Click the Server Spy icon in the toolbar to see the list of all server header for the current page.

 

 

2) Security Web Auditing

 

Clicking on the security web auditing will show security issues, if there are any, for the page you are on.

 

 

 

3) Check XSS and Easy XSS

 

XSS is one of the most prevalent attacks and common vulnerabilities found in many applications. Easy and Check XSS allow different prepopulated payloads to be copy/pasted in text boxes to execute XSS attacks.

 

Right-click on an empty text box or anywhere on the site. The sub-menus show Easy and Check XSS. Click on the arrow and one can see the list of payloads. Select a payload and paste it in the text box, then press submit.

 

 

 

 

 

 

 

 

 

4) Cookie Editor

 

Once installed, Cookie Manager is visible on the status bar. Click on the icon to see the cookie fields and contents. Cookie properties such as HTTPOnly, Secure and Host Only are shown based on the tickboxes selected. The values can be edited as desired.

 

 

 

 

 

5) Penetration Testing Kit (“PTK”)

 

PTK allows users to see the technology stack of the application and HTTP headers. In addition, it provides a graphical representation of requests and allows modification of requests / responses by sending the request to R Attacker and RScanner. The built-in scanner allows the request to be scanned for any vulnerabilities:

 

 

 

 

 

 

 

 

 

6) FoxyProxy

 

This add-on allows multiple proxy settings to be added. This is extremely useful when you want to connect to different proxies without having to change the configuration to Firefox’s default proxy settings each time.

 

 

 

Click on the FoxyProxy icon and click on options. A new window opens where we need to enter the title, Proxy IP, Port, etc. Once done press Save or Save and Add Another to add another proxy setting.

 

 

 

 

 

A list of proxies added will be shown on the home page. In addition, FoxyProxy has other options which can be explored from the homepage.

 

 

 

Conclusion

The add-ons discussed here transform the Firefox browser into a powerful application security testing tool, thereby allowing many pen testers and enthusiasts who don’t have resources to purchase commercial tools to get acquainted with application security testing and discover vulnerabilities in applications.