We all know Firefox is a great browser but what really sets it apart are its numerous extensions (or plugins).

With the right extensions, firefox can become much more than a web browser. But this isn’t about turning your firefox into a blogging platform or a social bookmarking application. It’s about turning your firefox into one of the best tools for web development, debugging and penetration testing web applications.

The following picture is a mind-map of Firefox extensions that can prove very useful during the security audit of a web application. This picture was taken from the Security Database FireCAT 1.3 article.

Alot of these tools share common functionalities, and some are just plain better than other. It’s all a matter of taste, so I suggest you try them out yourself.

Nevertheless, here is my personal pick of the crop.

Must have

• Firebug. Amazing javascript debugger and DOM inspector. Includes many other tools (profiler, network watch, …).
• SwitchProxy. Switch between different proxy configurations in a couple clicks.
• Add N Edit Cookies. Does exactly what it says on the tin.
• Tamper Data. Lets you view and modify outgoing requests very easily. Includes a handy “replay” function.
• Classic Compact. Not an extension. Just a theme, the default theme in fact, modified to be as compact as possible (because we all need that screen real estate).

Nice to have

• Poster. Lets you forge any HTTP request very easily. Supports common methods (get, post, head, …) file uploading and authentication. It’s like a portable <form> in your pocket.
• Hack Bar. Tool to aid when looking for SQL injections (includes SQL related functions and a few encoders/decoders). I mostly use it as an URL sandbox instead of the single-line address bar.
• Web Developer. Not as ground-breaking as firebug but includes a few handy functions.
• User Agent Switcher. Lets you switch user-agent globally. Includes pre-defined User-Agent strings.
• RefControl.Set your Referer header globally or per domain.
• NoScript. Allow or deny javascript globally, per domain, site, path, time, earth-moon distance, …
• Exploit Me. Suite of tools for automating user input fuzzing (brute-forcing payloads). At time of writing, two extensions are available; “XSS Me” and “SQL Inject Me”.
• ChickenFoot, GreaseMonkey. Scripting environments.

The above mindmap diagram is available in 3 formats:

• firecat_13.png
• firecat_13.pdf
• firecat-13.mm

References

• http://www.security-database.com/toolswatch/FireCAT-Firefox-Catalog-of,302.html

This entry is filed under anonymity, exploitation, intelligence, reconnaissance, security. You can follow responses to this entry through its RSS 2.0 feed. You can leave a response, or trackback from your own site.