Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Security Risks of Online Political Contributing | Main | Future of Malware »
October 17, 2007
Hacker Firefox Extensions
If I could only install one "offensive" extension, it would absolutely be Tamper Data. In the past, I used Paros Proxy and Burp Suite for intercepting requests and responses between my Web browser and the Web server. These tasks can now be done within Firefox via Tamper Data -- without configuring the proxy settings.If the Website you're trying to break into requires a unique cookie, referrer, or user-agent, intercept the request with Tamper Data before it gets sent to the Web server. Then, add or modify the attributes you need and send it on. It's even possible to modify the response from the Web server before the Web browser interprets it. It's a very nice tool for anyone interested in Web application security.
Paros and Burp both have features not yet available in Tamper Data, such as site spidering and vulnerability scanning. Switching over to one of them as a proxy is much easier with SwitchProxy, which helps you quickly configure Firefox to use Paros and Proxy. It's not a purely "offensive" extension, but SwitchProxy it makes the configuration of proxies for Firefox much quicker.
Posted on October 17, 2007 at 6:06 AM • 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Web Developer • October 17, 2007 8:55 AM
This is not just useful as a "Hacker" extension. I develop Web Applications for a living and I find it incredibly useful on a daily basis. Not just for manipulating POST parameters, but for quickly listing all browser requests/repsonses, their durations, headers etc...
Brent Nordquist • October 17, 2007 9:09 AM
Unfortunately, SwitchProxy has some stability problems; the longer your browser has been running, the more time the "New Window" and "New Tab" actions will take to produce a result. It's a shame, because it's a really useful extension, but the long pauses finally drove me nuts and I deactivated it.
Jay • October 17, 2007 9:52 AM
Great stuff, for a demonstrator on how much info leaves the browser, and as an awareness-raiser on the concept of a Man-in-the-Browser (note: concept, not detail).
Ben • October 17, 2007 10:01 AM
As someone who uses these sorts of tools often, I'd also suggest:
Edit Cookies
https://addons.mozilla.org/en-US/firefox/addon/4510
Selenium IDE (for when you get tired of doing this all manually)
https://addons.mozilla.org/en-US/firefox/addon/2079
View Source Chart (also useful for dissecting web pages, as it shows the effects of javascript on the HTML after the pages has already loaded)
https://addons.mozilla.org/en-US/firefox/addon/655
Another useful proxy is WebScarab:
http://www.owasp.org/index.php/...
There's tons of other tools out there, as well. cURL is great for spidering and mirroring. CAL9000 is great for encoding and decoding strings. And don't forget LibWWWPerl.
TheDoctor • October 17, 2007 10:13 AM
Nope greg, not together with these tools.
But you have to explain to our dear audience that "Hacker tools" are illegal in Germany, no matter who uses them (more or less) or why you use them (security audit) because the law is so poorly formulated.
Paeniteo • October 17, 2007 10:32 AM
@TheDoctor: "illegal in Germany, no matter (...) why you use them because the law is so poorly formulated"
If you read the law, you will find that preparation of a computer crime is a prerequisite for the illegality of the tools.
http://dejure.org/gesetze/StGB/202c.html
Rich Wilson • October 17, 2007 10:52 AM
Web Developer:
https://addons.mozilla.org/en-US/firefox/addon/60
and Firebug:
https://addons.mozilla.org/en-US/firefox/addon/1843
Don Marti • October 17, 2007 11:21 AM
I use Chris Pederick's Web Developer extension: http://chrispederick.com/work/web-developer/ to change session cookies and look at hidden form fields. Besides the "hacking" functionality, it also does other handy stuff such as putting hairlines around divs and table cells to help you troubleshoot your HTML and CSS.
John Ridley • October 17, 2007 11:27 AM
I'm going to have to check this out. Looks like it would be tremendously useful in my day job, where I often have to write scripts to emulate browser behavior in order to automate systems that the short-sighted designers never realized someone would want to automate.
Guillaume • October 17, 2007 11:27 AM
@Brent Nordquist
Try Foxy Proxy instead of Switch Proxy.
It feature rule based, on the fly proxy swithching.
Peter M. • October 17, 2007 12:25 PM
I use Muffin Proxy http://muffin.doit.org/ for years and I didn't know, that there is another product out there which has an equivalent preview function. - Thanks for the links. This proxies are exactly what I need.
Maybe (if you not already knew) you should keep an eye on muffin because you can easily write customizations for it.!
antibozo • October 17, 2007 12:41 PM
I'm a regular user of Tamper Data and have to agree it is very useful.
One should always bear in mind that Firefox extensions act in chrome: context and can execute arbitrary code on your system. So be sure you know what you're installing, and if you're a code auditor, do everyone a favor and take a look at the source.
Chris S • October 17, 2007 4:17 PM
Tools like this are great to explain to developers why they should place an HMAC over fields that are to be echoed back from the browser - and the HMAC must contain a user identity and should contain session info.
People just don't realize how easy it is to manipulate this stuff.
Michael A • October 17, 2007 10:56 PM
We have recently released a tool named PbProxy under an open-source license at (http://http://www.phishbouncer.com/trac) . PbProxy allows interception of HTTP and HTTPS data, is written in Java, and allows customization via a plugin-architecture.
PbProxy is great for intercepting web requests and subjecting them to security checks. By default, it comes
with a set of behavioral phishing checks.
Joe • October 18, 2007 7:46 AM
TamperData has been a very useful tool in assessing possible security risks as well as in plain old debugging when developing web sites. It even lets you add headers to the request, which makes it very convenient when simulating specific types of requests from other servers.
Guillaume • October 18, 2007 8:14 AM
@Chris S
How about never sending any data that needs to be "echoed" back from the browser ? Doesn't your server environment keep a "session" in which you can store data between requests ?
I found it easier to tell developpers to never read from the client things the server already knows.
Paul • October 18, 2007 8:52 AM
Tamper Data looks like the replacement to HTMLBar for firefox that I've been looking for for a long time. If you need to debug something in IE, that's the plugin you can't live without.
Alan Kennedy • July 7, 2009 6:08 PM
I've compiled a list of open source HTTP proxies written in java and python, which carry out a wide variety of functions, including security, anonymization, etc.
Calandale • December 16, 2009 2:22 PM
Alan, I don't see why you left Web Scarab and Burp off your proxy list - they're a lot more well known then many there.
Alan Kennedy • September 5, 2010 6:18 AM
@Calandale
WebScarab has always been listed on that page; perhaps you overlooked it.
http://proxies.xhaus.com/java/webscarab.html
I don't list Burp because it is not open source.
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments