insanesecurity

Web Application Pen-testing Toolbox (Firefox)

A long time ago (if you could say so for a couple of months) I posted a small article about Firefox being a good web application pen-testers platform. At that time I would have happily made a compilation of my preferred add-ons, but such similar projects were already available, and so didn’t afford to waste time on maintaining something like that.


Fast forwarding to this day you get WAPT (Web Application Pen-testing Toolbox) based on the new Mozilla addons collection feature, which relieves people from annoying maintenance and sharing issues.

Sure it’s not the only one which fulfills this scope, similar collections are: OWASP’s Ultimate Hackerfox, WAST and WAST (same name, different authors and small differences).

So why should you choose mine?

• because you like me and support me as well :)
• instead of just throwing add-ons in the collection, I’m going to give a detailed description of why those add-ons deserve their place there

Greasemonkey

One of the most innovative and popular add-ons for Firefox.

Even if attaching custom Javascript code to web pages might not seem much, the power proven this way is incredible. Such userscripts have a great versatility, leaving endless possibilities: simple to complex automation, complete modification of user interface and website working, website crawling and much more.

If you’re serious about web hacking, than you cannot ignore the power of userscripts.

Some userscripts I wrote (and you can find on this blog) are: the first userscript keylogger and form hijacker. Other userscripts I wrote about where: the malware script detector and phpinfo() security checker.

Firebug

Commonly defacto add-on for web developers but it’s utility should not be ignored by hackers alike.

• the powerful console window where custom code can be run freely (useful in initiating ajax calls, modifying functions on the fly and more)
• html window – the xpath generating feature will prove very useful when coding scrappers, also modifying html content actively is an added bonus
• script window – helpfully in intercepting/tracking/stepping through code and variables
• net window – finding (possibly exploitable): bottlenecks in code execution, external styles/libraries and let’s not forget about XHR requests monitoring as well

User Agent Switcher

There will be situations in which spoofing a browser, crawler bot will have it’s benefits :)

Tamper Data

It’s descriptions says more than enough about it:

Use tamperdata to view and modify HTTP/HTTPS headers and post parameters…

It comes better in aid when tampering post parameters either submited via: form, XHR or other add-ons.

Live HTTP headers

Besides it’s usefulness in header analysis (parameter tampering), the generator tab can be used for passive website crawling, or extraction of special type of files based on regular expression patterns.

Add N Edit Cookies

Cookie adding/modification can be done easily with a bookmarklet as I mentioned in an article about them, but this add-on gives better control over them.

Besides the sorting/filtering of cookies a very useful feature is that we can modify cookie expiration period. Imagine for example hijacking a session and the web application improperly logging out the user, setting the cookie expiration time to a value in the past instead of destroying the session.

HackBar

As many of you do, when starting pen-testing a website (manually) usually you go and tamper GET parameters and very annoying you may find the URI encoding or the length of a request.

In these scenarios HackBar is the tool you need, giving simple splitting of parameters and some primordial functions which are handful in different cases: MySQL UNION query generation, basic info column, html/javascript encoding, hashing, base64/URI encoding and more.

XSS Me

As from different collections mentioned at the beginning of the article, in WAPT the only add-on from the Exploit Me suite that I imported is XSS Me. Access Me gives doubtful results and SQL Inject Me feels redundant because most of websites either sanitize or not parameters that go in SQL statements, rarely blacklisting words like in XSS protections.

Automated XSS testing is made easy thankfully to the possibility of having custom attack vector lists. And testing with obfuscated vectors feels just better, than with the list that it comes with.

SQL Injection

This is the add-on that replaces SQL Inject Me in my collection:

it is a component to transform checkboxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page. It makes easier to test and identify SQL injection vulnerabilities in web pages.

Site Information Tool

Besides the basic WHOIS information it provides, the service behind the add-on is very useful in approximating the attack surface of injecting malicious content into the website. Take as example a look at my blog info.

Milw0rm Search Plugin

I don’t think I have to write why this plugin deserves it’s place in the collection :)

Passive Recon

Momentarily the last ad-on in WAPT, but not the less useful. Passive Recon let’s you gather data for websites using multiple services like: Google, DomainTools, SamSpade, Network-Tools, Netcraft and more.

That’s all I have to say momentarily about WAPT, hopefully you’ll find it as useful as I am so that I can surpass the others in the same category :)

The WAPT collection can be found here.