Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Security Risks of Online Political Contributing | Main | Future of Malware »
October 17, 2007
Hacker Firefox Extensions
If I could only install one "offensive" extension, it would absolutely be Tamper Data. In the past, I used Paros Proxy and Burp Suite for intercepting requests and responses between my Web browser and the Web server. These tasks can now be done within Firefox via Tamper Data -- without configuring the proxy settings.If the Website you're trying to break into requires a unique cookie, referrer, or user-agent, intercept the request with Tamper Data before it gets sent to the Web server. Then, add or modify the attributes you need and send it on. It's even possible to modify the response from the Web server before the Web browser interprets it. It's a very nice tool for anyone interested in Web application security.
Paros and Burp both have features not yet available in Tamper Data, such as site spidering and vulnerability scanning. Switching over to one of them as a proxy is much easier with SwitchProxy, which helps you quickly configure Firefox to use Paros and Proxy. It's not a purely "offensive" extension, but SwitchProxy it makes the configuration of proxies for Firefox much quicker.
Posted on October 17, 2007 at 6:06 AM • 21 Comments • View Blog Reactions
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I knew it. This Firefox is nothing more than a hacker tool!
Posted by: Bill Gates at October 17, 2007 7:32 AM
This is not just useful as a "Hacker" extension. I develop Web Applications for a living and I find it incredibly useful on a daily basis. Not just for manipulating POST parameters, but for quickly listing all browser requests/repsonses, their durations, headers etc...
Posted by: Web Developer at October 17, 2007 8:55 AM
Unfortunately, SwitchProxy has some stability problems; the longer your browser has been running, the more time the "New Window" and "New Tab" actions will take to produce a result. It's a shame, because it's a really useful extension, but the long pauses finally drove me nuts and I deactivated it.
Posted by: Brent Nordquist at October 17, 2007 9:09 AM
Great stuff, for a demonstrator on how much info leaves the browser, and as an awareness-raiser on the concept of a Man-in-the-Browser (note: concept, not detail).
Posted by: Jay at October 17, 2007 9:52 AM
As someone who uses these sorts of tools often, I'd also suggest:
Edit Cookies
https://addons.mozilla.org/en-US/firefox/addon/4510
Selenium IDE (for when you get tired of doing this all manually)
https://addons.mozilla.org/en-US/firefox/addon/2079
View Source Chart (also useful for dissecting web pages, as it shows the effects of javascript on the HTML after the pages has already loaded)
https://addons.mozilla.org/en-US/firefox/addon/655
Another useful proxy is WebScarab:
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
There's tons of other tools out there, as well. cURL is great for spidering and mirroring. CAL9000 is great for encoding and decoding strings. And don't forget LibWWWPerl.
Posted by: Ben at October 17, 2007 10:01 AM
Nope greg, not together with these tools.
But you have to explain to our dear audience that "Hacker tools" are illegal in Germany, no matter who uses them (more or less) or why you use them (security audit) because the law is so poorly formulated.
Posted by: TheDoctor at October 17, 2007 10:13 AM
@TheDoctor: "illegal in Germany, no matter (...) why you use them because the law is so poorly formulated"
If you read the law, you will find that preparation of a computer crime is a prerequisite for the illegality of the tools.
http://dejure.org/gesetze/StGB/202c.html
Posted by: Paeniteo at October 17, 2007 10:32 AM
Web Developer:
https://addons.mozilla.org/en-US/firefox/addon/60
and Firebug:
https://addons.mozilla.org/en-US/firefox/addon/1843
Posted by: Rich Wilson at October 17, 2007 10:52 AM
I use Chris Pederick's Web Developer extension: http://chrispederick.com/work/web-developer/ to change session cookies and look at hidden form fields. Besides the "hacking" functionality, it also does other handy stuff such as putting hairlines around divs and table cells to help you troubleshoot your HTML and CSS.
Posted by: Don Marti at October 17, 2007 11:21 AM
I'm going to have to check this out. Looks like it would be tremendously useful in my day job, where I often have to write scripts to emulate browser behavior in order to automate systems that the short-sighted designers never realized someone would want to automate.
Posted by: John Ridley at October 17, 2007 11:27 AM
@Brent Nordquist
Try Foxy Proxy instead of Switch Proxy.
It feature rule based, on the fly proxy swithching.
Posted by: Guillaume at October 17, 2007 11:27 AM
I use Muffin Proxy http://muffin.doit.org/ for years and I didn't know, that there is another product out there which has an equivalent preview function. - Thanks for the links. This proxies are exactly what I need.
Maybe (if you not already knew) you should keep an eye on muffin because you can easily write customizations for it.!
Posted by: Peter M. at October 17, 2007 12:25 PM
I'm a regular user of Tamper Data and have to agree it is very useful.
One should always bear in mind that Firefox extensions act in chrome: context and can execute arbitrary code on your system. So be sure you know what you're installing, and if you're a code auditor, do everyone a favor and take a look at the source.
Posted by: antibozo at October 17, 2007 12:41 PM
Tools like this are great to explain to developers why they should place an HMAC over fields that are to be echoed back from the browser - and the HMAC must contain a user identity and should contain session info.
People just don't realize how easy it is to manipulate this stuff.
Posted by: Chris S at October 17, 2007 4:17 PM
We have recently released a tool named PbProxy under an open-source license at (http://http://www.phishbouncer.com/trac) . PbProxy allows interception of HTTP and HTTPS data, is written in Java, and allows customization via a plugin-architecture.
PbProxy is great for intercepting web requests and subjecting them to security checks. By default, it comes
with a set of behavioral phishing checks.
Posted by: Michael A at October 17, 2007 10:56 PM
TamperData has been a very useful tool in assessing possible security risks as well as in plain old debugging when developing web sites. It even lets you add headers to the request, which makes it very convenient when simulating specific types of requests from other servers.
Posted by: Joe at October 18, 2007 7:46 AM
@Chris S
How about never sending any data that needs to be "echoed" back from the browser ? Doesn't your server environment keep a "session" in which you can store data between requests ?
I found it easier to tell developpers to never read from the client things the server already knows.
Posted by: Guillaume at October 18, 2007 8:14 AM
Tamper Data looks like the replacement to HTMLBar for firefox that I've been looking for for a long time. If you need to debug something in IE, that's the plugin you can't live without.
Posted by: Paul at October 18, 2007 8:52 AM
I believe that what you mean to say was "H@ve phun"...
Posted by: LaRoach at October 18, 2007 11:50 AM
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Blog Menu |
SearchBlog Home Page
ArchivesOctober 2008September 2008 Complete Archive  |
| New Book |
|
| Syndication |
|
RSS 1.0 (full text)
RSS 2.0 (excerpts) |
| Translations |
|
German
Italian (selected entries) |
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more |
Comments