Firefox Addons For Application Security Testing

Firefox is a popular free, open source web browser used by millions. It supports various application security add-ons, making it a useful tool for performing application security testing. This can allow newcomers who can’t afford professional tools to get started with penetration testing in application security for free.


Firefox allows for the creation of profiles which can be tuned for the needs of the pen testers. The following is a set of steps to create a penetration testing profile. To perform testing activities, create a new profile and use that for all testing purposes while leaving the default profile for general web browsing.


Creating A New Profile In Firefox

1) Open Firefox. In the URL tab, enter about:profiles. The list of profiles are shown here:



Figure 1: List of Profiles



1) Click “Create a New Profile.” Enter a name for the profile and click “finish.” Optionally, select the folder where settings and other data would be stored for the profile.


In the example below an application security profile (“Appsec”) profile is created:



Figure 2: Appsec Profile Created



Once the new profile is created, it can be launched in a new browser instance


Adding Appsec Add-ons to Firefox


In the URL bar enter “about:addons”. All add-ons can be managed from here.



Figure 3: Addon Manager



To install an add-on use the search box to search for the plugin. This will open the “” website, which provides a brief introduction to the plugin and allows its installation. To install, click on the “+Add to Firefox” button, which will ask for permission to install the plugin.



Figure 4: Add to Firefox



Click Add to add the add-on.



Figure 5: Add Add-On



Note: These add-ons can be uploaded by anyone and are unverified, which may pose a security risk. Add-ons that are verified and vetted by Mozilla should be installed to prevent theft of personal data. Users should verify the security of the add-ons before installing.


For this guide, the following add-ons were installed:


  1. Penetration Testing Kit : Allows testers to see tech stack of the application, craft requests for SQL Injection, etc.
  2. Check XSS / Easy XSS : Allows testers to input a range of XSS payloads already present.
  3. FoxyProxy : Allows proxy management
  4. Cookie Editor : Allows testers to see cookie properties being set and allows them to be edited
  5. WebSecurity Audit : Allows for passive auditing of websites
  6. Server Spy : Shows server headers


Once all the add-ons are installed they will be shown in the status bar of the browser (which may need to be restarted for the add-ons take effect).



Figure 6: Installed Add-ons



Add-ons in Action

1) Server Spy


Click the Server Spy icon in the toolbar to see the list of all server header for the current page.


Figure 7: HTTP Headers



2) Security Web Auditing


Clicking on the security web auditing will show security issues, if there are any, for the page you are on.





3) Check XSS and Easy XSS


XSS is one of the most prevalent attacks and common vulnerabilities found in many applications. Easy and Check XSS allow different prepopulated payloads to be copy/pasted in text boxes to execute XSS attacks.


Right-click on an empty text box or anywhere on the site. The sub-menus show Easy and Check XSS. Click on the arrow and one can see the list of payloads. Select a payload and paste it in the text box, then press submit.



Figure 8: Check XSS Payloads




Figure 9: Easy XSS Payloads visible for XSS attacks




Figure 10: Paste XSS Payloads




Figure 11: XSS Payload inserted



4) Cookie Editor


Once installed, Cookie Manager is visible on the status bar. Click on the icon to see the cookie fields and contents. Cookie properties such as HTTPOnly, Secure and Host Only are shown based on the tickboxes selected. The values can be edited as desired.



Figure 12: Cookie Manager 1




Figure 13: Cookie 2



5) Penetration Testing Kit (“PTK”)


PTK allows users to see the technology stack of the application and HTTP headers. In addition, it provides a graphical representation of requests and allows modification of requests / responses by sending the request to R Attacker and RScanner. The built-in scanner allows the request to be scanned for any vulnerabilities:



Figure 14: APP Tech Stack




Figure 15: Requests Sent to Server




Figure 16: Request Modification




Figure 17: Vuln Scan



6) FoxyProxy


This add-on allows multiple proxy settings to be added. This is extremely useful when you want to connect to different proxies without having to change the configuration to Firefox’s default proxy settings each time.



Figure 18: Proxy Interface



Click on the FoxyProxy icon and click on options. A new window opens where we need to enter the title, Proxy IP, Port, etc. Once done press Save or Save and Add Another to add another proxy setting.



Figure 19: Proxy 1




Figure 20: Proxy 2



A list of proxies added will be shown on the home page. In addition, FoxyProxy has other options which can be explored from the homepage.



Figure 21: All Proxies




The add-ons discussed here transform the Firefox browser into a powerful application security testing tool, thereby allowing many pen testers and enthusiasts who don’t have resources to purchase commercial tools to get acquainted with application security testing and discover vulnerabilities in applications.

Subramanya S.
Principal Consultant | Optiv
Subramanya is a senior consultant on the Application Security Team in Optiv’s Management Practice. He specializes in application security.