Hacker Firefox Extensions

Have fun:

If I could only install one "offensive" extension, it would absolutely be Tamper Data. In the past, I used Paros Proxy and Burp Suite for intercepting requests and responses between my Web browser and the Web server. These tasks can now be done within Firefox via Tamper Data -- without configuring the proxy settings.

If the Website you're trying to break into requires a unique cookie, referrer, or user-agent, intercept the request with Tamper Data before it gets sent to the Web server. Then, add or modify the attributes you need and send it on. It's even possible to modify the response from the Web server before the Web browser interprets it. It's a very nice tool for anyone interested in Web application security.

Paros and Burp both have features not yet available in Tamper Data, such as site spidering and vulnerability scanning. Switching over to one of them as a proxy is much easier with SwitchProxy, which helps you quickly configure Firefox to use Paros and Proxy. It's not a purely "offensive" extension, but SwitchProxy it makes the configuration of proxies for Firefox much quicker.

Posted on October 17, 2007 at 6:06 AM • 25 Comments

Comments

Web DeveloperOctober 17, 2007 8:55 AM

This is not just useful as a "Hacker" extension. I develop Web Applications for a living and I find it incredibly useful on a daily basis. Not just for manipulating POST parameters, but for quickly listing all browser requests/repsonses, their durations, headers etc...

Brent NordquistOctober 17, 2007 9:09 AM

Unfortunately, SwitchProxy has some stability problems; the longer your browser has been running, the more time the "New Window" and "New Tab" actions will take to produce a result. It's a shame, because it's a really useful extension, but the long pauses finally drove me nuts and I deactivated it.

JayOctober 17, 2007 9:52 AM

Great stuff, for a demonstrator on how much info leaves the browser, and as an awareness-raiser on the concept of a Man-in-the-Browser (note: concept, not detail).

BenOctober 17, 2007 10:01 AM

As someone who uses these sorts of tools often, I'd also suggest:

Edit Cookies
https://addons.mozilla.org/en-US/firefox/addon/4510

Selenium IDE (for when you get tired of doing this all manually)
https://addons.mozilla.org/en-US/firefox/addon/2079

View Source Chart (also useful for dissecting web pages, as it shows the effects of javascript on the HTML after the pages has already loaded)
https://addons.mozilla.org/en-US/firefox/addon/655

Another useful proxy is WebScarab:
http://www.owasp.org/index.php/...

There's tons of other tools out there, as well. cURL is great for spidering and mirroring. CAL9000 is great for encoding and decoding strings. And don't forget LibWWWPerl.


TheDoctorOctober 17, 2007 10:13 AM

Nope greg, not together with these tools.

But you have to explain to our dear audience that "Hacker tools" are illegal in Germany, no matter who uses them (more or less) or why you use them (security audit) because the law is so poorly formulated.

John RidleyOctober 17, 2007 11:27 AM

I'm going to have to check this out. Looks like it would be tremendously useful in my day job, where I often have to write scripts to emulate browser behavior in order to automate systems that the short-sighted designers never realized someone would want to automate.

GuillaumeOctober 17, 2007 11:27 AM

@Brent Nordquist

Try Foxy Proxy instead of Switch Proxy.

It feature rule based, on the fly proxy swithching.

Peter M.October 17, 2007 12:25 PM

I use Muffin Proxy http://muffin.doit.org/ for years and I didn't know, that there is another product out there which has an equivalent preview function. - Thanks for the links. This proxies are exactly what I need.
Maybe (if you not already knew) you should keep an eye on muffin because you can easily write customizations for it.!

antibozoOctober 17, 2007 12:41 PM

I'm a regular user of Tamper Data and have to agree it is very useful.

One should always bear in mind that Firefox extensions act in chrome: context and can execute arbitrary code on your system. So be sure you know what you're installing, and if you're a code auditor, do everyone a favor and take a look at the source.

Chris SOctober 17, 2007 4:17 PM

Tools like this are great to explain to developers why they should place an HMAC over fields that are to be echoed back from the browser - and the HMAC must contain a user identity and should contain session info.

People just don't realize how easy it is to manipulate this stuff.

Michael AOctober 17, 2007 10:56 PM

We have recently released a tool named PbProxy under an open-source license at (http://http://www.phishbouncer.com/trac) . PbProxy allows interception of HTTP and HTTPS data, is written in Java, and allows customization via a plugin-architecture.

PbProxy is great for intercepting web requests and subjecting them to security checks. By default, it comes
with a set of behavioral phishing checks.

JoeOctober 18, 2007 7:46 AM

TamperData has been a very useful tool in assessing possible security risks as well as in plain old debugging when developing web sites. It even lets you add headers to the request, which makes it very convenient when simulating specific types of requests from other servers.

GuillaumeOctober 18, 2007 8:14 AM

@Chris S
How about never sending any data that needs to be "echoed" back from the browser ? Doesn't your server environment keep a "session" in which you can store data between requests ?

I found it easier to tell developpers to never read from the client things the server already knows.

PaulOctober 18, 2007 8:52 AM

Tamper Data looks like the replacement to HTMLBar for firefox that I've been looking for for a long time. If you need to debug something in IE, that's the plugin you can't live without.

CalandaleDecember 16, 2009 2:22 PM

Alan, I don't see why you left Web Scarab and Burp off your proxy list - they're a lot more well known then many there.

bobJune 18, 2013 11:09 AM

tamper data doesn't return full reponse bodies (just the response header) as far as I can tell. At least its not doing in on linux using firefox 21 and tamper data version 11.0.1

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..