Schneier on Security
A blog covering security and security technology.
« Security Risks of Online Political Contributing |
| Future of Malware »
October 17, 2007
Hacker Firefox Extensions
If I could only install one "offensive" extension, it would absolutely be Tamper Data. In the past, I used Paros Proxy and Burp Suite for intercepting requests and responses between my Web browser and the Web server. These tasks can now be done within Firefox via Tamper Data -- without configuring the proxy settings.
If the Website you're trying to break into requires a unique cookie, referrer, or user-agent, intercept the request with Tamper Data before it gets sent to the Web server. Then, add or modify the attributes you need and send it on. It's even possible to modify the response from the Web server before the Web browser interprets it. It's a very nice tool for anyone interested in Web application security.
Paros and Burp both have features not yet available in Tamper Data, such as site spidering and vulnerability scanning. Switching over to one of them as a proxy is much easier with SwitchProxy, which helps you quickly configure Firefox to use Paros and Proxy. It's not a purely "offensive" extension, but SwitchProxy it makes the configuration of proxies for Firefox much quicker.
Posted on October 17, 2007 at 6:06 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I knew it. This Firefox is nothing more than a hacker tool!
This is not just useful as a "Hacker" extension. I develop Web Applications for a living and I find it incredibly useful on a daily basis. Not just for manipulating POST parameters, but for quickly listing all browser requests/repsonses, their durations, headers etc...
Unfortunately, SwitchProxy has some stability problems; the longer your browser has been running, the more time the "New Window" and "New Tab" actions will take to produce a result. It's a shame, because it's a really useful extension, but the long pauses finally drove me nuts and I deactivated it.
Great stuff, for a demonstrator on how much info leaves the browser, and as an awareness-raiser on the concept of a Man-in-the-Browser (note: concept, not detail).
So... Can we still use firefox in Germany?
Nope greg, not together with these tools.
But you have to explain to our dear audience that "Hacker tools" are illegal in Germany, no matter who uses them (more or less) or why you use them (security audit) because the law is so poorly formulated.
@TheDoctor: "illegal in Germany, no matter (...) why you use them because the law is so poorly formulated"
If you read the law, you will find that preparation of a computer crime is a prerequisite for the illegality of the tools.
I use Chris Pederick's Web Developer extension: http://chrispederick.com/work/web-developer/ to change session cookies and look at hidden form fields. Besides the "hacking" functionality, it also does other handy stuff such as putting hairlines around divs and table cells to help you troubleshoot your HTML and CSS.
I'm going to have to check this out. Looks like it would be tremendously useful in my day job, where I often have to write scripts to emulate browser behavior in order to automate systems that the short-sighted designers never realized someone would want to automate.
Try Foxy Proxy instead of Switch Proxy.
It feature rule based, on the fly proxy swithching.
I use Muffin Proxy http://muffin.doit.org/ for years and I didn't know, that there is another product out there which has an equivalent preview function. - Thanks for the links. This proxies are exactly what I need.
Maybe (if you not already knew) you should keep an eye on muffin because you can easily write customizations for it.!
I'm a regular user of Tamper Data and have to agree it is very useful.
One should always bear in mind that Firefox extensions act in chrome: context and can execute arbitrary code on your system. So be sure you know what you're installing, and if you're a code auditor, do everyone a favor and take a look at the source.
Tools like this are great to explain to developers why they should place an HMAC over fields that are to be echoed back from the browser - and the HMAC must contain a user identity and should contain session info.
People just don't realize how easy it is to manipulate this stuff.
which one is better? firefox or opera?
We have recently released a tool named PbProxy under an open-source license at (http://http://www.phishbouncer.com/trac) . PbProxy allows interception of HTTP and HTTPS data, is written in Java, and allows customization via a plugin-architecture.
PbProxy is great for intercepting web requests and subjecting them to security checks. By default, it comes
with a set of behavioral phishing checks.
TamperData has been a very useful tool in assessing possible security risks as well as in plain old debugging when developing web sites. It even lets you add headers to the request, which makes it very convenient when simulating specific types of requests from other servers.
How about never sending any data that needs to be "echoed" back from the browser ? Doesn't your server environment keep a "session" in which you can store data between requests ?
I found it easier to tell developpers to never read from the client things the server already knows.
Tamper Data looks like the replacement to HTMLBar for firefox that I've been looking for for a long time. If you need to debug something in IE, that's the plugin you can't live without.
I believe that what you mean to say was "H@ve phun"...
I've compiled a list of open source HTTP proxies written in java and python, which carry out a wide variety of functions, including security, anonymization, etc.
Alan, I don't see why you left Web Scarab and Burp off your proxy list - they're a lot more well known then many there.
tamper data doesn't return full reponse bodies (just the response header) as far as I can tell. At least its not doing in on linux using firefox 21 and tamper data version 11.0.1
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.