begood Posted March 7, 2010 Report Posted March 7, 2010 This was long overdue! FireFox is a great too and we use it for some part of our vulnerability assessment and penetration tests when we have to get a different perspective. We have been using these FireFox add-on’s and have been updating them as soon as we find an add-on that could be added to our favourite’s list. Some of these add-on’s can also be used for minimal code reviews too!We thought that we could share it with you guys! Here it is: PenTestIT.Com’s WAPT Add-ons!As of 07th March 2010, there are 37 add-ons. This is a list of the same:1 Fireforce:Brute-force attacks on GET or POST forms.2 XSites:This extension will show users all the hosts involved in loading the current page in an unobtrusive way. The purpose is to aware users of cross site requests. Such awareness could be translated into awareness of cross site attacks, or awareness of third party traffic tracking such as the use of Google-analytics, or awareness of ad network.3 Groundspeed:Groundspeed is an add-on that allows security testers to manipulate the application user interface to eliminate annoying limitations and client-side controls that interfere with the web application penetration tests.4 Modify Headers:Add, modify and filter http request headers. You can modify the user agent string, add headers to spoof a mobile request (e.g. x-up-calling-line-id) and much more.5 SHODAN Computer Search:SHODAN Computer Search Engine.6 A user-friendly interface to SHODAN:Created by guelfoweb.7 HackBar:Simple security audit / Penetration test tool.8 CookieSwap:CookieSwap enables you to easily swap all your cookies so that you can be logged in to multiple web e-mail accounts (like Gmail and Yahoo! mail) as different users at the same time and quickly switch between them. Note: When swapping profiles with CookieSwap, the cookies in all tabs and all browser windows are changed at the same time. This means that your web login to sites like Gmail will change in all the tabs at once.9 Cert Viewer Plus:Certificate viewer enhancements: PEM format view, file export, trust configuration.10 Offsec Exploit-db Search:This plugin lets you search on Offsec Exploit archive – Offensive Security Training presents - The Exploit Database. Offsec Exploit archive, also known as Explo.it, is the replacement of Milw0rm archive.11 DNS Unpinning:The DNSUnpinning Firefox extension provides an option in the Tools menu to disable or enable DNS caching/pinning. This extension may be useful to Web application developers, Web application security researchers, and perhaps the occasional system/network administrator of a load-balanced Web service. The extension creates the network.dnsCacheEntries preferences option and sets it to zero at browser startup, and a Tools menu item can set and clear this preference option.12 Inline Code Finder for Firebug:Inline Code Finder is an add-on to Firebug, to be able to find HTML elements with any of the below issues: * Inline JavaScript events * Inline style * javascript: links13 PassiveRecon:PassiveRecon provides information security professionals with the ability to perform “packetless” discovery of target resources utilizing publicly available information.14 User Agent Switcher:The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of the browser.15 JavaScript Deobfuscator:This add-on will show you what JavaScript gets to run on a web page, even if it is obfuscated and generated on the fly. Simply open JavaScript Deobfuscator from the Tools menu and watch the scripts being compiled/executed.16 Show Location:Show the server location of the current page in the status bar.17 View Dependencies:View Dependencies adds a tab to the Page Info window, in which it lists all the files which were loaded to show the current page.18 BetterPrivacy:Ever wondered why you are still tracked though you tried everything to prevent it? BetterPrivacy is a safeguard which protects from usually not delete-able LSO’s on Google, YouTube, Ebay…19 Check4Change:Check4Change (aka C4C) is a simple extension that allows you to periodically check a web-page for updates…20 TestGen4Web:Just like your VCR – for Firefox. It records what you do, stores it, and plays it back on demand.21 ASNumber:The AS Number Extension displays interesting information the Internet Service Provider of every website visited. Along with it come some additional statistics for those who want to know what happens behind the Webs shiny surface.22 Access-Me:Access vulnerabilities in an application can allow an attacker to access resources without being authenticated. Access-Me is a Firefox extension used to test for Access vulnerabilities.23 SQL Injection:SQL Injection is an Upgrade from the old form free, it is a component to transform checkboxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page. It makes easier to test and identify SQL injection vulnerabilities in web pages.24 Advanced Dork:Advanced Dork: gives quick access to Google’s Advanced Operators directly from the context menu…25 xmpp4moz:xmpp4moz integrates the XMPP protocol (also known as Jabber) into Mozilla applications.26 UrlParams:Shows you the GET and POST parameters of the current website in the sidebar…27 RESTTest:Construct custom HTTP requests to directly test requests against a server. RESTTest uses the XmlHttpRequest object and allows you to simulate XHR to quickly prototype requests and test security problems. Designed specifically for working with REST sources, supporting all HTTP methods.28 HttpFox:An HTTP analyzer add-on for Firefox29 Regular Expressions Tester:Testing tool for regular expressions with color highlighting (including sub-matches) and helpers for creating expressions30 JSView:All browsers include a “View Source” option, but none of them offer the ability to view the source code of external files. Most websites store their JavaScript’s and style sheets in external files and then link to them within a web page’s…31 XSS Me:Cross-Site Scripting (XSS) is a common flaw found in today’s web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.32 SQL Inject Me:SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities.33 ShowIP:Show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right mouse button) and hostname (left mouse button), like whois, netcraft. Additionally you can copy the IP address to the clipboard.34 Greasemonkey:Allows you to customize the way a webpage displays using small bits of JavaScript.35 Firebug:Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page…36 Live HTTP Headers:View HTTP headers of a page and while browsing.37 Tamper Data:Use tamperdata to view and modify HTTP/HTTPS headers and post parameters…As mush as possible, we have tried keeping the number of add-on’s performing the same task minimal. We also know that some of these add-on’s are for “older versions of FireFox”. But well, we normally “Ignore version check”. So, yeah!We will be updating our collection as and when we find a new add-on that can aid us in our endeavors! https://addons.mozilla.org/en-US/firefox/collection/pentestit Quote
