Firefox Addons For Application Security Testing
Firefox Addons For Application Security Testing
Firefox is a popular free, open source web browser used by millions. It supports various application security add-ons, making it a useful tool for performing application security testing. This can allow newcomers who can’t afford professional tools to get started with penetration testing in application security for free.
Firefox allows for the creation of profiles which can be tuned for the needs of the pen testers. The following is a set of steps to create a penetration testing profile. To perform testing activities, create a new profile and use that for all testing purposes while leaving the default profile for general web browsing.
Creating A New Profile In Firefox
1) Open Firefox. In the URL tab, enter about:profiles. The list of profiles are shown here:
Figure 1: List of Profiles
1) Click “Create a New Profile.” Enter a name for the profile and click “finish.” Optionally, select the folder where settings and other data would be stored for the profile.
In the example below an application security profile (“Appsec”) profile is created:
Figure 2: Appsec Profile Created
Once the new profile is created, it can be launched in a new browser instance
Adding Appsec Add-ons to Firefox
In the URL bar enter “about:addons”. All add-ons can be managed from here.
Figure 3: Addon Manager
To install an add-on use the search box to search for the plugin. This will open the “addons.mozilla.org” website, which provides a brief introduction to the plugin and allows its installation. To install, click on the “+Add to Firefox” button, which will ask for permission to install the plugin.
Figure 4: Add to Firefox
Click Add to add the add-on.
Figure 5: Add Add-On
Note: These add-ons can be uploaded by anyone and are unverified, which may pose a security risk. Add-ons that are verified and vetted by Mozilla should be installed to prevent theft of personal data. Users should verify the security of the add-ons before installing.
For this guide, the following add-ons were installed:
- Penetration Testing Kit : Allows testers to see tech stack of the application, craft requests for SQL Injection, etc.
- Check XSS / Easy XSS : Allows testers to input a range of XSS payloads already present.
- FoxyProxy : Allows proxy management
- Cookie Editor : Allows testers to see cookie properties being set and allows them to be edited
- WebSecurity Audit : Allows for passive auditing of websites
- Server Spy : Shows server headers
Once all the add-ons are installed they will be shown in the status bar of the browser (which may need to be restarted for the add-ons take effect).
Figure 6: Installed Add-ons
Add-ons in Action
1) Server Spy
Click the Server Spy icon in the toolbar to see the list of all server header for the current page.
Figure 7: HTTP Headers
2) Security Web Auditing
Clicking on the security web auditing will show security issues, if there are any, for the page you are on.
3) Check XSS and Easy XSS
XSS is one of the most prevalent attacks and common vulnerabilities found in many applications. Easy and Check XSS allow different prepopulated payloads to be copy/pasted in text boxes to execute XSS attacks.
Right-click on an empty text box or anywhere on the site. The sub-menus show Easy and Check XSS. Click on the arrow and one can see the list of payloads. Select a payload and paste it in the text box, then press submit.
Figure 8: Check XSS Payloads
Figure 9: Easy XSS Payloads visible for XSS attacks
Figure 10: Paste XSS Payloads
Figure 11: XSS Payload inserted
4) Cookie Editor
Once installed, Cookie Manager is visible on the status bar. Click on the icon to see the cookie fields and contents. Cookie properties such as HTTPOnly, Secure and Host Only are shown based on the tickboxes selected. The values can be edited as desired.
Figure 12: Cookie Manager 1
Figure 13: Cookie 2
5) Penetration Testing Kit (“PTK”)
PTK allows users to see the technology stack of the application and HTTP headers. In addition, it provides a graphical representation of requests and allows modification of requests / responses by sending the request to R Attacker and RScanner. The built-in scanner allows the request to be scanned for any vulnerabilities:
Figure 14: APP Tech Stack
Figure 15: Requests Sent to Server
Figure 16: Request Modification
Figure 17: Vuln Scan
This add-on allows multiple proxy settings to be added. This is extremely useful when you want to connect to different proxies without having to change the configuration to Firefox’s default proxy settings each time.
Figure 18: Proxy Interface
Click on the FoxyProxy icon and click on options. A new window opens where we need to enter the title, Proxy IP, Port, etc. Once done press Save or Save and Add Another to add another proxy setting.
Figure 19: Proxy 1
Figure 20: Proxy 2
A list of proxies added will be shown on the home page. In addition, FoxyProxy has other options which can be explored from the homepage.
Figure 21: All Proxies
The add-ons discussed here transform the Firefox browser into a powerful application security testing tool, thereby allowing many pen testers and enthusiasts who don’t have resources to purchase commercial tools to get acquainted with application security testing and discover vulnerabilities in applications.
Copyright © 2021 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com