The best of Firefox Pentesting addons that every hacker should have
I'm sure that you know about Firefox browser, and hope that you use it. So it was the best browser for hacking, and more safe. And in this post we talk for what we can use, where exactly we can use in hacking. So there are special add-ons for Firefox, which can help us in some parts of hacking. I hope that you enjoy this post.
1) HackbarHackbar is a simple penetration tool for Firefox. It helps in testing simple SQL injection and XSS holes. You cannot execute standard exploits but you can easily use it to test whether vulnerability exists or not. You can also manually submit form data with GET or POST requests. It also has encryption and encoding tools. Most of the times, this tool helps in testing XSS vulnerability with encoded XSS payloads. It also supports keyboard shortcuts to perform various tasks.I am sure, most of the persons in the security field already know about this tool. This tool is mostly used in finding POST XSS vulnerabilities because it can send POST data manually to any page you like. With the ability of manually sending POST form data, you can easily bypass client side validations of the page. If your payload is being encoded at client side, you can use an encoding tool to encode your payload and then perform the attack. If the application is vulnerable to the XSS.
Add to Firefox
2) Tamper DataTamper data is an great tool to to view and modify HTTP/HTTPS headers and post parameters. We can alter each request going from our machine to destination host with this. Thus it helps in security testing web application by modifying POST parameters. It can be used in performing XSS and SQL Injection attacks by modifying header data.
Add to Firefox
3) Cookies Manager +Cookie Manager is one of the greatest tool ever made. Using this tool you can actually play with cookies. You can alter almost all cookie using this tool. You can use Cookies manager to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.
Add to Firefox
4) FirebugFirebug is a nice add-on that integrates a web development tool inside the browser. With this tool, you can edit and debug HTML, CSS and JavaScript live in any webpage to see the effect of changes. It helps in analyzing JS files to find XSS vulnerabilities. It’s an really helpful add-on in finding DOM based XSS for security testing professionals.
Add to Firefox
5) Grease MonkeyGrease Monkey is an counter part of No Script, its actually behaves opposite of Noscript. We use Noscript to block the scripts and use GreaseMonkey to run the scripts. It allows you to customize the way a web page displays or behaves, by using small bits of JavaScript.
Add to Firefox
6) NoScriptNo Script add-ons greatness is beyond imagination. With this tool you can monitor each an every script running on website, you can block any of scripts and see what actually that scripts does on website. But this add-on is for experts, newbies will face problems using this. Note: If you are testing XSS, HTTPS header modifications, Injection attacks on any website you need to disable this plugin because it will not allow you to do so.
Add to Firefox
7) User Agent SwitcherUser Agent Switcher add-on; adds a one click user agent switch to the browser. It adds a menu and tool bar button in the browser. Whenever you want to switch the user agent, use the browser button. User Agent add on helps in spoofing the browser while performing some attack.
Add to Firefox
8) SQL Inject MeSQL Inject Me is another nice Firefox add-on used to find SQL injection vulnerabilities in web applications. This tool does not exploit the vulnerability but display that it exists. SQL injection is one of the most harmful web application vulnerabilities, it can allow attackers to view, modify, edit, add or delete records in a database.The tool sends escape strings through form fields, and tries to search database error messages. If it finds a database error message, it marks the page as vulnerable.
Add to Firefox
9) CryptoFoxCryptoFox is an encryption or decryption tool for Mozilla Firefox. It supports most of the available encryption algorithm. So, you can easily encrypt or decrypt data with supported encryption algorithm. This add-on comes with dictionary attack support, to crack MD5 cracking passwords.
Add to Firefox
10) XSS MECross Site Scripting is the most found web application vulnerability. For detecting XSS vulnerabilities in web applications, this add-on can be a useful tool. XSS-Me is used to find reflected XSS vulnerabilities from a browser. It scans all forms of the page, and then performs an attack on the selected pages with pre-defined XSS payloads. After the scan is complete, it lists all the pages that renders a payload on the page, and may be vulnerable to XSS attack.
Add to Firefox
11) Passive ReconLast but not the least. Passive recon is a good information gathering tool. PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information. It gathers information like DnsStuff tool available on backtrack.
Add to Firefox
12) Access MeThe first tool on our list is called “Access Me” which examines vulnerabilities in applications. This allows a pentester, ethical hacker etc to access network or computer system resources without being authenticated. In short, Access Me is used to test for Access vulnerabilities.
Add to Firefox
13) JavaScript DeobfuscatorThis pentesting addon tells you what JavaScript files are running within an HTML page or other, even if it is obfuscated and generated elsewhere. Simply open the JavaScript Deobfuscator app from the Firefox Tools menu and watch the scripts being compiled or executed. Kinda similar to NoScript. Should add that if this addon is on all the time then all code will render slower so you are best advised to only use it when you need it.
Add to Firefox
14) FoxyProxyFoxyProxy is an old hat, been around for a while now. There is tons of help on setting this up – just hit up YouTube and take a look. For the complete newbies reading this, FoxyProxy is an advanced proxy management tool that can replace Firefox’s proxying capabilities, (which are pretty limited). There are others out there, such as SwitchProxy, QuickProxy or the infamous TorButton.
Add to Firefox
15) Key ManagerThis pentesting tool allows for Key Generation, Certificate Enrolment and Authority Delegation. In summary you can see encryption keys that are generated when you visit secure websites. You can also create your own encryption keys.
Add to Firefox
16) Selenium IDEGot to be honest about this one, we don’t know too much about it. More detailed info here about Selenium IDE, but what we can tell you is what we read elsewhere, i.e. that this addon “is an integrated development environment for Selenium scripts. It is implemented as a Firefox extension, and allows you to record, edit, and debug tests.”
Add to Firefox
17) CookieSwapThis addon does exactly what its’ name suggests. From a pentesters point of view, being able to change your cookies allows you to identity and understand how sites treat you differently depending on who you are. For example, if a travel site recognizes you as a returning customer they give you a page showing similar flight choices for example. Google uses ‘Personalized Search’, where they modify their search results based on your personal identity. So if you have a Google account then you’ll be treated to a ‘Personalized Search.’ CookieSwap allows you to be anonymous. Quite a nice tool for those interested in SEO since Search Engine Results can differ.
Add to Firefox
18) FoxySpiderFoxySpider is a web crawler! This tool scrapes websites to find what you want. The tool can scan for videos, images, PDF’s etc. FoxySpider displays the located items in a well-structured thumbnail gallery for ease of use.
Add to Firefox
19) OSVDBThis tool hits the Open Source Vulnerability Database Search and gives you known security vulnerabilities. The community is great and stemmed from the Black Hat conferences. This is one of the best addons in our opinion.
Add to Firefox
20) Domain DetailsIts’ name says it all – this is a nice and simple addon because it displays the server type, headers, precise IP address and location and whois.
Add to Firefox
21) Live HTTP HeadersIf your interested in headers then also take a look at Tamper Data (a few above this one). Live HTTP headers shows headers of the actual page or application that you are browsing.
Add to Firefox
22) GroundspeedGroundspeed allows security testers to manipulate the application user interface to eliminate possible limitations and client-side restrictions that interfere with penetration testing.
Add to Firefox
23) PosterThis tool allows you to interact with web services and other web resources by showing HTTP requests, entity body commands, and content type. See also Live HTTP Headers.
Add to Firefox
24) RESTClientSimilar to Live HTTP Headers, RESTClient supports all HTTP methods RFC2616 (HTTP/1.1) and RFC2518 (WebDAV). You can construct custom HTTP requests.
Add to Firefox
25) WappalyzerWappalyzer identifies software on websites. Again, can be used with Open Source Vulnerability Database Search.
Add to Firefox
26) Host SpyUseful if you want to know if your neighbour is spitting out spam since you can see who is on the same IP as you are.
Add to Firefox
27) FirecookieFirecookie works alongside Firebug. Rather similar to SwapCookies, this addon creates and deletes existing cookies.
Add to Firefox
28) HttpFoxGot to love this one. If you like Wireshark then this addon is your friend. HttpFox monitors and analyzes all incoming and outgoing HTTP traffic between the browser and the web servers.
Add to Firefox
29) RefControlYou are able to create a list of sites, and the referrer that should be sent for each site. You can select to send that referrer unconditionally or only for third-party requests. Alternatively, you can specify the default behavior for any site not on your generated list.
Add to Firefox
30) XSSed SearchRelated to the addon above, this allows for the searching of cross-site scripting vulnerabilities at the XSSed database.
Add to Firefox
31) FiresheepThis addon got a lot of publicity. This addon highlights HTTP session hijacking (when a hacker gets their hands on a user’s cookies). There is a similar tool called Facesniff for Android. As cookies are transmitted over networks, this tool, which is a packet sniffer, can discover identities and allows the pentester to take on the log-in credentials of the user or victim.
Add to Firefox
32) ProxybarSimilar to FoxyProxy. The user can change proxy.
Add to Firefox
33) Cookie WatcherThis tool probably helps the developer more than the pentester – because it can quickly wipe ‘session’ cookies. The main purpose of this though is to help identify cluster nodes by cookie values.
Add to Firefox
34) WOTAnother highly popular addon. The Web of Trust shows you “trusted sites” – from a pentesters point of view it allows for a snapshot of the credibility of backlinks or otherwise.
Add to Firefox
35) Google Site IndexerThis tool generates site maps based on Google queries which can be useful for both Penetration Testing and Search Engine Optimization. The tool sends zero packets to the host making it anonymous.
Add to Firefox
36) refspoofAllows for URL Spoofing by pretending to origin from any site by overriding the url referrer in an HTTP request.
Add to Firefox
37) ShowIPShows the IP of the current page in the status bar. Also bundles info like hostname, ISP, country and the city.
Add to Firefox
38) Packet Storm search pluginThis allows the ethical hacker or pentester to search the packet storm database for exploits, tools and advisories.
Add to Firefox
39) Offsec Exploit-db SearchAllows for the ability to search the Exploit-db Archive – similar to the Open Source Vulnerability Database Search addon.
Add to Firefox
40) Security Focus Vulnerabilities Search PluginAllows for the ability to search the Security Focus – similar to the Open Source Vulnerability Database Search and Exploit-db Archive addons.
Add to Firefox
41) XML Developer ToolbarThis addon allows for XML Developer standard tools from within Firefox.
Add to Firefox
42) CipherFoxCipherFox allows you to view the specific SSL cipher that is being used to encrypt connections to a web site. The addon displays the keysize of the cipher and also allows for RC4 to be disabled.
Add to Firefox
43) FlagFoxSimilarto ShowIP this addon displays a country flag for the location of a web server and other useful information.
Add to Firefox
44) ViewStatePeekerViewStatePeeker decodes and displays viewstate contents of an *.aspx page
Add to Firefox
45) Server SpyAs the name suggests, this addon tells you the technology of the web server (Apache, Samba, IIS etc) of the client you are working for.
Add to Firefox
46) Default PasswordsThis addon searches the CIRT.net default password database.
Add to Firefox
47) Snort IDS Rule SearchThis addon works with Snort’s open source network-based intrusion detection system (NIDS) which can perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Take a look at HttpFox if you are interested in this.
Add to Firefox
48) Header SpySimilar to Live HTTP Headers – this addon shows HTTP Headers live on the status bar.
Add to Firefox
Subscribe to:
Post Comments
(
Atom
)
Hi Mikael,
ReplyDeleteCan you tell me how can I protect a website I created from hackers?
Is there a way to protect it at all or not?
thanks
Did you mean phishing websites? I write special for that post, what is that how its works and how to stay safe from phishing websites. read from there. What is Phishing? Introduction to Phishing
Delete