Bruce Schneier | |||||||||||||||
Schneier on SecurityA blog covering security and security technology. « Security Risks of Online Political Contributing | Main | Future of Malware » October 17, 2007Hacker Firefox ExtensionsIf I could only install one "offensive" extension, it would absolutely be Tamper Data. In the past, I used Paros Proxy and Burp Suite for intercepting requests and responses between my Web browser and the Web server. These tasks can now be done within Firefox via Tamper Data -- without configuring the proxy settings. Posted on October 17, 2007 at 6:06 AM • 21 Comments • View Blog Reactions To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter. I knew it. This Firefox is nothing more than a hacker tool! Posted by: Bill Gates at October 17, 2007 7:32 AM This is not just useful as a "Hacker" extension. I develop Web Applications for a living and I find it incredibly useful on a daily basis. Not just for manipulating POST parameters, but for quickly listing all browser requests/repsonses, their durations, headers etc... Posted by: Web Developer at October 17, 2007 8:55 AM Unfortunately, SwitchProxy has some stability problems; the longer your browser has been running, the more time the "New Window" and "New Tab" actions will take to produce a result. It's a shame, because it's a really useful extension, but the long pauses finally drove me nuts and I deactivated it. Posted by: Brent Nordquist at October 17, 2007 9:09 AM Great stuff, for a demonstrator on how much info leaves the browser, and as an awareness-raiser on the concept of a Man-in-the-Browser (note: concept, not detail). Posted by: Jay at October 17, 2007 9:52 AM As someone who uses these sorts of tools often, I'd also suggest: Edit Cookies Selenium IDE (for when you get tired of doing this all manually) View Source Chart (also useful for dissecting web pages, as it shows the effects of javascript on the HTML after the pages has already loaded) Another useful proxy is WebScarab: There's tons of other tools out there, as well. cURL is great for spidering and mirroring. CAL9000 is great for encoding and decoding strings. And don't forget LibWWWPerl.
Posted by: Ben at October 17, 2007 10:01 AM Nope greg, not together with these tools. But you have to explain to our dear audience that "Hacker tools" are illegal in Germany, no matter who uses them (more or less) or why you use them (security audit) because the law is so poorly formulated. Posted by: TheDoctor at October 17, 2007 10:13 AM @TheDoctor: "illegal in Germany, no matter (...) why you use them because the law is so poorly formulated" If you read the law, you will find that preparation of a computer crime is a prerequisite for the illegality of the tools. Posted by: Paeniteo at October 17, 2007 10:32 AM Web Developer: and Firebug: Posted by: Rich Wilson at October 17, 2007 10:52 AM I use Chris Pederick's Web Developer extension: http://chrispederick.com/work/web-developer/ to change session cookies and look at hidden form fields. Besides the "hacking" functionality, it also does other handy stuff such as putting hairlines around divs and table cells to help you troubleshoot your HTML and CSS. Posted by: Don Marti at October 17, 2007 11:21 AM I'm going to have to check this out. Looks like it would be tremendously useful in my day job, where I often have to write scripts to emulate browser behavior in order to automate systems that the short-sighted designers never realized someone would want to automate. Posted by: John Ridley at October 17, 2007 11:27 AM @Brent Nordquist Try Foxy Proxy instead of Switch Proxy. It feature rule based, on the fly proxy swithching. Posted by: Guillaume at October 17, 2007 11:27 AM I use Muffin Proxy http://muffin.doit.org/ for years and I didn't know, that there is another product out there which has an equivalent preview function. - Thanks for the links. This proxies are exactly what I need. Posted by: Peter M. at October 17, 2007 12:25 PM I'm a regular user of Tamper Data and have to agree it is very useful. One should always bear in mind that Firefox extensions act in chrome: context and can execute arbitrary code on your system. So be sure you know what you're installing, and if you're a code auditor, do everyone a favor and take a look at the source. Posted by: antibozo at October 17, 2007 12:41 PM Tools like this are great to explain to developers why they should place an HMAC over fields that are to be echoed back from the browser - and the HMAC must contain a user identity and should contain session info. People just don't realize how easy it is to manipulate this stuff. Posted by: Chris S at October 17, 2007 4:17 PM We have recently released a tool named PbProxy under an open-source license at (http://http://www.phishbouncer.com/trac) . PbProxy allows interception of HTTP and HTTPS data, is written in Java, and allows customization via a plugin-architecture. PbProxy is great for intercepting web requests and subjecting them to security checks. By default, it comes Posted by: Michael A at October 17, 2007 10:56 PM TamperData has been a very useful tool in assessing possible security risks as well as in plain old debugging when developing web sites. It even lets you add headers to the request, which makes it very convenient when simulating specific types of requests from other servers. Posted by: Joe at October 18, 2007 7:46 AM @Chris S I found it easier to tell developpers to never read from the client things the server already knows. Posted by: Guillaume at October 18, 2007 8:14 AM Tamper Data looks like the replacement to HTMLBar for firefox that I've been looking for for a long time. If you need to debug something in IE, that's the plugin you can't live without. Posted by: Paul at October 18, 2007 8:52 AM I believe that what you mean to say was "H@ve phun"... Posted by: LaRoach at October 18, 2007 11:50 AM Post a comment
Powered by Movable Type. Photo at top by Steve Woit.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT. |
|
Comments