Home Insights Source Zero Firefox Addons For Application Security Testing March 24, 2021 Firefox Addons For Application Security Testing Firefox is a popular free, open source web browser used by millions. It supports various application security add-ons, making it a useful tool for performing application security testing. This can allow newcomers who can’t afford professional tools to get started with penetration testing in application security for free. Firefox allows for the creation of profiles which can be tuned for the needs of the pen testers. The following is a set of steps to create a penetration testing profile. To perform testing activities, create a new profile and use that for all testing purposes while leaving the default profile for general web browsing. Creating A New Profile In Firefox 1) Open Firefox. In the URL tab, enter about:profiles. The list of profiles are shown here: Image Figure 1: List of Profiles 1) Click “Create a New Profile.” Enter a name for the profile and click “finish.” Optionally, select the folder where settings and other data would be stored for the profile. In the example below an application security profile (“Appsec”) profile is created: Image Figure 2: Appsec Profile Created Once the new profile is created, it can be launched in a new browser instance Adding Appsec Add-ons to Firefox In the URL bar enter “about:addons”. All add-ons can be managed from here. Image Figure 3: Addon Manager To install an add-on use the search box to search for the plugin. This will open the “addons.mozilla.org” website, which provides a brief introduction to the plugin and allows its installation. To install, click on the “+Add to Firefox” button, which will ask for permission to install the plugin. Image Figure 4: Add to Firefox Click Add to add the add-on. Image Figure 5: Add Add-On Note: These add-ons can be uploaded by anyone and are unverified, which may pose a security risk. Add-ons that are verified and vetted by Mozilla should be installed to prevent theft of personal data. Users should verify the security of the add-ons before installing. For this guide, the following add-ons were installed: Penetration Testing Kit : Allows testers to see tech stack of the application, craft requests for SQL Injection, etc. Check XSS / Easy XSS : Allows testers to input a range of XSS payloads already present. FoxyProxy : Allows proxy management Cookie Editor : Allows testers to see cookie properties being set and allows them to be edited WebSecurity Audit : Allows for passive auditing of websites Server Spy : Shows server headers Once all the add-ons are installed they will be shown in the status bar of the browser (which may need to be restarted for the add-ons take effect). Figure 6: Installed Add-ons Add-ons in Action 1) Server Spy Click the Server Spy icon in the toolbar to see the list of all server header for the current page. Image Figure 7: HTTP Headers 2) Security Web Auditing Clicking on the security web auditing will show security issues, if there are any, for the page you are on. Image 3) Check XSS and Easy XSS XSS is one of the most prevalent attacks and common vulnerabilities found in many applications. Easy and Check XSS allow different prepopulated payloads to be copy/pasted in text boxes to execute XSS attacks. Right-click on an empty text box or anywhere on the site. The sub-menus show Easy and Check XSS. Click on the arrow and one can see the list of payloads. Select a payload and paste it in the text box, then press submit. Image Figure 8: Check XSS Payloads Image Figure 9: Easy XSS Payloads visible for XSS attacks Image Figure 10: Paste XSS Payloads Image Figure 11: XSS Payload inserted 4) Cookie Editor Once installed, Cookie Manager is visible on the status bar. Click on the icon to see the cookie fields and contents. Cookie properties such as HTTPOnly, Secure and Host Only are shown based on the tickboxes selected. The values can be edited as desired. Image Figure 12: Cookie Manager 1 Image Figure 13: Cookie 2 5) Penetration Testing Kit (“PTK”) PTK allows users to see the technology stack of the application and HTTP headers. In addition, it provides a graphical representation of requests and allows modification of requests / responses by sending the request to R Attacker and RScanner. The built-in scanner allows the request to be scanned for any vulnerabilities: Image Figure 14: APP Tech Stack Image Figure 15: Requests Sent to Server Image Figure 16: Request Modification Image Figure 17: Vuln Scan 6) FoxyProxy This add-on allows multiple proxy settings to be added. This is extremely useful when you want to connect to different proxies without having to change the configuration to Firefox’s default proxy settings each time. Image Figure 18: Proxy Interface Click on the FoxyProxy icon and click on options. A new window opens where we need to enter the title, Proxy IP, Port, etc. Once done press Save or Save and Add Another to add another proxy setting. Image Figure 19: Proxy 1 Image Figure 20: Proxy 2 A list of proxies added will be shown on the home page. In addition, FoxyProxy has other options which can be explored from the homepage. Image Figure 21: All Proxies Conclusion The add-ons discussed here transform the Firefox browser into a powerful application security testing tool, thereby allowing many pen testers and enthusiasts who don’t have resources to purchase commercial tools to get acquainted with application security testing and discover vulnerabilities in applications. By: Subramanya S. Senior Consultant | Optiv Senior Consultant for the Application Security team in Optiv’s Threat Management practice. Share: Firefox Source Zero Red Team AppSec/SDLC Penetration Testing Threat Copyright © 2021 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com Related Insights Image Application Threat Modeling October 13, 2020 Application threat modeling decomposes application architecture into security-relevant components to reveal threats and potential risks. See Details Blog Image Brute Force Account Testing Using Burp Intruder June 19, 2020 Burp Suite’s Intruder tool can be used to automate testing for weak/default passwords. See Details Blog Image Web Application Security Assessment September 30, 2020 Our assessment helps identify/prioritize the highest severity risks affecting your web applications and supporting infrastructure. See Details Download How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.