Firefox Addons For Application Security Testing

Firefox is a popular free, open source web browser used by millions. It supports various application security add-ons, making it a useful tool for performing application security testing. This can allow newcomers who can’t afford professional tools to get started with penetration testing in application security for free.

 

Firefox allows for the creation of profiles which can be tuned for the needs of the pen testers. The following is a set of steps to create a penetration testing profile. To perform testing activities, create a new profile and use that for all testing purposes while leaving the default profile for general web browsing.

 

Creating A New Profile In Firefox

1) Open Firefox. In the URL tab, enter about:profiles. The list of profiles are shown here:

 

Image
firefox_addons_img1

Figure 1: List of Profiles

 

 

1) Click “Create a New Profile.” Enter a name for the profile and click “finish.” Optionally, select the folder where settings and other data would be stored for the profile.

 

In the example below an application security profile (“Appsec”) profile is created:

 

Image
firefox_addons_img2

Figure 2: Appsec Profile Created

 

 

Once the new profile is created, it can be launched in a new browser instance

 

Adding Appsec Add-ons to Firefox

 

In the URL bar enter “about:addons”. All add-ons can be managed from here.

 

Image
firefox_addons_img3

Figure 3: Addon Manager

 

 

To install an add-on use the search box to search for the plugin. This will open the “addons.mozilla.org” website, which provides a brief introduction to the plugin and allows its installation. To install, click on the “+Add to Firefox” button, which will ask for permission to install the plugin.

 

Image
firefox_addons_img4

Figure 4: Add to Firefox

 

 

Click Add to add the add-on.

 

Image
firefox_addons_img5

Figure 5: Add Add-On

 

 

Note: These add-ons can be uploaded by anyone and are unverified, which may pose a security risk. Add-ons that are verified and vetted by Mozilla should be installed to prevent theft of personal data. Users should verify the security of the add-ons before installing.

 

For this guide, the following add-ons were installed:

 

  1. Penetration Testing Kit : Allows testers to see tech stack of the application, craft requests for SQL Injection, etc.
  2. Check XSS / Easy XSS : Allows testers to input a range of XSS payloads already present.
  3. FoxyProxy : Allows proxy management
  4. Cookie Editor : Allows testers to see cookie properties being set and allows them to be edited
  5. WebSecurity Audit : Allows for passive auditing of websites
  6. Server Spy : Shows server headers

 

Once all the add-ons are installed they will be shown in the status bar of the browser (which may need to be restarted for the add-ons take effect).

 

firefox_addons_img6

Figure 6: Installed Add-ons

 

 

Add-ons in Action

1) Server Spy

 

Click the Server Spy icon in the toolbar to see the list of all server header for the current page.

Image
firefox_addons_img7

Figure 7: HTTP Headers

 

 

2) Security Web Auditing

 

Clicking on the security web auditing will show security issues, if there are any, for the page you are on.

 

Image
firefox_addons_img8

 

 

3) Check XSS and Easy XSS

 

XSS is one of the most prevalent attacks and common vulnerabilities found in many applications. Easy and Check XSS allow different prepopulated payloads to be copy/pasted in text boxes to execute XSS attacks.

 

Right-click on an empty text box or anywhere on the site. The sub-menus show Easy and Check XSS. Click on the arrow and one can see the list of payloads. Select a payload and paste it in the text box, then press submit.

 

Image
firefox_addons_img9

Figure 8: Check XSS Payloads

 

 

Image
firefox_addons_img10

Figure 9: Easy XSS Payloads visible for XSS attacks

 

 

Image
firefox_addons_img11

Figure 10: Paste XSS Payloads

 

 

Image
firefox_addons_img12

Figure 11: XSS Payload inserted

 

 

4) Cookie Editor

 

Once installed, Cookie Manager is visible on the status bar. Click on the icon to see the cookie fields and contents. Cookie properties such as HTTPOnly, Secure and Host Only are shown based on the tickboxes selected. The values can be edited as desired.

 

Image
firefox_addons_img13

Figure 12: Cookie Manager 1

 

 

Image
firefox_addons_img14

Figure 13: Cookie 2

 

 

5) Penetration Testing Kit (“PTK”)

 

PTK allows users to see the technology stack of the application and HTTP headers. In addition, it provides a graphical representation of requests and allows modification of requests / responses by sending the request to R Attacker and RScanner. The built-in scanner allows the request to be scanned for any vulnerabilities:

 

Image
firefox_addons_img15

Figure 14: APP Tech Stack

 

 

Image
firefox_addons_img16

Figure 15: Requests Sent to Server

 

 

Image
firefox_addons_img17

Figure 16: Request Modification

 

 

Image
firefox_addons_img18

Figure 17: Vuln Scan

 

 

6) FoxyProxy

 

This add-on allows multiple proxy settings to be added. This is extremely useful when you want to connect to different proxies without having to change the configuration to Firefox’s default proxy settings each time.

 

Image
firefox_addons_img19

Figure 18: Proxy Interface

 

 

Click on the FoxyProxy icon and click on options. A new window opens where we need to enter the title, Proxy IP, Port, etc. Once done press Save or Save and Add Another to add another proxy setting.

 

Image
firefox_addons_img20

Figure 19: Proxy 1

 

 

Image
firefox_addons_img21

Figure 20: Proxy 2

 

 

A list of proxies added will be shown on the home page. In addition, FoxyProxy has other options which can be explored from the homepage.

 

Image
firefox_addons_img22

Figure 21: All Proxies

 

 

Conclusion

The add-ons discussed here transform the Firefox browser into a powerful application security testing tool, thereby allowing many pen testers and enthusiasts who don’t have resources to purchase commercial tools to get acquainted with application security testing and discover vulnerabilities in applications.

Senior Consultant | Optiv
Senior Consultant for the Application Security team in Optiv’s Threat Management practice.