At present, many plug-ins do not support Firefox 3.5 Oh
1, Add N Edit Cookies to view and modify the local Cookie, Cookie deception necessary.
Download: http://code.google.com/p/editcookie/downloads/list
2, User Agent Switcher modify the browser's User Agent, it can be used to XSS.
Download: https://addons.mozilla.org/zh-CN/firefox/addon/59
3, RefControl modify Referer references can also be used XSS or break some of the security chain.
Download: https://addons.mozilla.org/zh-CN/firefox/addon/953
4, Live HTTP Headers local record Get and Post data, and can revise and resubmit the data.
Download: https://addons.mozilla.org/zh-CN/firefox/addon/3829
5, Poster for Post and Get data.
Download: https://addons.mozilla.org/fr/firefox/addon/2691
6, HackBar small kit containing a number of commonly used tools. (SQL injection, XSS, encryption, etc.)
Download: http://devels-playground.blogspot.com/2008/07/new-hackbar-132.html
7, XSS-Me & SQL Inject -Me & Access-Me are used to detect XSS, SQL Inject Access and defects.
Download: http://securitycompass.com/exploitme.shtml
How forgotten Best of firebug ah
https://addons.mozilla.org/firefox/addon/1843
parosproxy
http://www.parosproxy.org/index.shtml
fiddler
http://www.fiddler2.com/Fiddler/help/video/default.asp
Firefox is a popular Mozilla organization from a web browser. Firefox's popularity and not just because it is a good browser, but because it is able to support plug-and thus strengthen its own capabilities. Mozilla has a plug-in site, where there are thousands of very useful, different types of plug-ins. Some plug-ins for penetration testers and security analysts is quite useful. These penetration tests plug-in help us perform different types of attacks and change request headers directly from the browser. For penetration testing related work involved, the use of plug-ins can reduce our use of separate tools.
In this brief article, we listed some popular and interesting Firefox plug-ins for penetration testers is very useful. These plug-ins are diverse, there are information-gathering tool, but also attack attack. The use of plug-ins that you find useful on it. There are also some additional cost plug-ins, such as Dominatorpro, it will need to buy from the official. Consider the following list.
Security researchers and penetration testers useful Firefox plugin
1、FoxyProxy Standard
FoxyProxy is an advanced proxy management plug-ins. It can improve the compatibility of the built-in proxy firefox. Here are also some other similar type of proxy management plug-ins. But it can provide more functionality. Based on parameters of the URL, which can be converted from among the one or more agents. When the agent is in use, it can also display an animated icon. If you want to see this tool used proxy, you can view its log. Link Address: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
2、Firebug
Firebug is a good plug-in that integrates web development tools. Using this tool, you can HTML, CSS and javascript editing and debugging on the page, and then view the effects of any changes that brings. It can help us analyze JS files to find XSS flaws. DOM-based XSS used to find defects in, Firebug is quite useful. Link Address: https://addons.mozilla.org/en-US/firefox/addon/firebug/
3、Web Developer
Web Developer is another good plugin that can add a lot of web development tools for the browser. Of course, the penetration penetration tests also help. Link Address: https://addons.mozilla.org/de/firefox/addon/web-developer/
4、User Agent Switcher
The plug-in is to add a menu and a toolbar button on the browser. If you want to change the useragent, using this tool bars and buttons on it. The plug-in can help us achieve the purpose of deception in the implementation of some of the attacks. Link Address: https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/
5、Live HTTP Headers
The plug-in penetration testing is very useful plug-ins. It is the reality of real-time and every http request http response headers. Of course, you may also be located in the left corner of the button to save the information by clicking on the header. Extra words do not say. We all know the importance. Link Address: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
6、Tamper Data
Tamper Data and above LiveHTTP Header similar. But Temper Data has header editing function. Using this plug-in, you can view, edit HTTP / HTTPSHeader and post parameters. It can also be used to perform by changing headerdata XSS and SQL injection attacks. Link Address: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
7, Hackbar
Hackbar is a simple penetration testing tools. It can help us test a simple SQL injection and XSS vulnerabilities. You can not use exploits it to perform a standard, but you can use it to test for the presence or absence of defects. You can submit the form data with GET and POST manual. It also features encryption and encoding. In most cases, this tool can help us use the encoded payload testing XSS flaw. It also supports keyboard shortcuts ways to perform a variety of tasks. I'm pretty sure most of the field of security guys are aware of this tool. This tool can be used to find POSTXSS defects. Because it can be manually send POSTData to any page you like. In this case, you can bypass the authentication client page. If your payload will be at the client code, you can use the encoding tools to encode your payload, and then execute the attack. If the application is vulnerable to XSS attack, I'm pretty sure you will find this defect sites with the help of Hackbar. Link Address: https://addons.mozilla.org/en-US/firefox/addon/hackbar/
8、WebSecurity
WebSecurity is a good tool for penetration testing. We have introduced this toolbar in the previous article. WebSecurity can detect the most common web application flaws. This tool can be easily detected XSS, SQL injection defects, and other web applications. Unlike other tools exemplified, websecurity a penetration testing tools is completely. Link Address: https://addons.mozilla.org/en-us/firefox/addon/websecurify/
9、Add N Edit Cookies
Add N Edit Cookies is a cookie editor plug-in that allows you to add and edit data in a browser cookie. Using this plug-in, you can easily add session data manually. This tool can hijack attacks in the implementation when you have an active user session data session. Edit your data and add cookie hijacking the account. Link Address: https://addons.mozilla.org/en-US/firefox/addon/add-n-edit-cookies-13793/
10、XSS Me
Cross-site scripting attacks are the most common web application flaws. XSS flaw detection in a web application, the plug-in should be a useful tool. XSSMe The reflection type often used XSS defects. It scans all the pages in the form, and then carry out an attack using a predefined XSSPayloads on the selected page. After the scan is complete, it will list all the pages that will appear payload. These pages may be vulnerable to XSS attacks. Now you can manually test web pages to find the presence or absence of XSS flaws. Link Address: https://addons.mozilla.org/en-us/firefox/addon/xss-me/
11、SQL Inject Me
SQL SQL Inject Me is a nice Firefox plugin, is often used to find Web applications injection defects. This tool can not take advantage of flaws, but can show it is there. SQL injection is one of the most debilitating of web application flaws, it gave birth to the attacker to view, change, edit, add, or delete records in the database. This tool is not filtered send some strings to the form, the error message and then try to search the database. If it finds an error message database, it will mark the page is vulnerable page. QA testers can use this tool as a SQL injection testing. Link Address: https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me/
12, Flagfox
FlagFox is another interesting plug-ins. Once the browser installed, it will show a flag that tells the location of the web server. It also includes other features, such as:. Whois, WOTscorecard ping and link address: https://addons.mozilla.org/en-us/firefox/addon/flagfox/
13、CrytoFox
CrytoFox is an encryption and decryption tool. It supports most of the encryption algorithm. So you can easily use supported encryption algorithm to encrypt and decrypt data. This plug-in that supports dictionary attacks can crack MD5 passwords. Although it is not very good reviews, but its role is satisfactory. Link Address: https://addons.mozilla.org/en-US/firefox/addon/cryptofox/
14、Access Me
Access Me is another professional security test plug-in. This plugin is XSS Me and SQLInject Me developed by the same company. The plug-in is used to test the web application to access the defect. This tool works by sending a number of different versions of a page request. And request with the request by SECCOM HTTPHEAD composition will be sent. And a session HEAD / SECCOM set will also be transmitted. Link Address: https://addons.mozilla.org/en-US/firefox/addon/access-me/
15、SecurityFocus Vulnerabilities search plugin
The plug-in is not a security tool, but a search plug-in, allowing users to search the database from the SecurityFocus related defects point. Link Address: https://addons.mozilla.org/en-us/firefox/addon/securityfocus-vulnerabilities-/
16、Packet Storm search plugin
This is another search plug-in, allowing users from packetstormsecurity.org site search tools and related use. This site provides the latest free security tool, use and announcements. Link Address: https://addons.mozilla.org/en-us/firefox/addon/packet-storm-search-plugin/
17、Offset Exploit-db Search
Two similar this plugin and above. It also allows users to use the search site from exploit-db.com defects and enumerated. Of course, this stuff is the latest site offers. Link Address: https://addons.mozilla.org/en-us/firefox/addon/offsec-exploit-db-search/
18、Snort IDS Rule Search
This plugin is a search plugin. Users can use this plug-in search SnortIDS rules from snort.org site. Snort is the most widely deployed worldwide IDS / IPS technology. It is an open source network intrusion detection and prevention systems, more than 400,000 users use this technique. Link Address: https://addons.mozilla.org/en-US/firefox/addon/snort-ids-rule-search/
Here are just a few plug-ins you can use in a web application penetration testing. Of course, you can not use these tools to complete your penetration testing, but these tools are very useful, you can reduce the use of other stand-alone tools.
Motto: I only have a porter technology!
Translated: http://resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
For good work must first sharpen his tools, firefox has been an essential tool for you to infiltrate division, Xiao Bian here recommend 34 of firefox auxiliary plug penetration testing, which includes penetration testing, information collection, proxy, encryption and decryption functions.
1:Firebug
One five-star highly recommended Firefox plug-in, not allowed to explain
2: User Agent Switcher plugin change a User Agent client
3: Hackbar siege indispensable tool for teachers, providing SQL injection and XSS attacks can quickly encode a variety of string.
4: HTTP traffic between HttpFox monitoring and analysis browser and web server
5: Live HTTP Headers HTTP header instantly view a website
6: Tamper Data to view and modify HTTP / HTTPS headers and POST parameters
7: ShowIP display information such as IP address, host name, ISP, countries and cities such as the current page in the status bar.
8: OSVDB Open Source Vulnerability Database
9: Packet Storm search plugin pluginPacket Storm offers, you can search for vulnerabilities, exploits and tools and so on.
10: Offsec Exploit-db Search Search Exploit-db Information
11: Security Focus Vulnerabilities Search Plugin search for loopholes in the Security Focus
12: Cookie Watcher is displayed in the status bar cookie
13: Header Spy displays the HTTP header in the status bar
14:GroundspeedManipulate the application user interface.
15: CipherFox displays the current encryption algorithms and certificate SSL / TLS in the status bar
16: XSS MeXSS test extensions
17: SQL Inject MeSQL expansion injection test
18: Wappalyzer view the application site uses
19: Poster interact with a Web server sends an HTTP request, and view the output results
20: Javascript Deobfuscator display Javascript code running on the page
21: Modify Headers modify HTTP request header
22: FoxyProxy proxy tool
23: FlagFox can be displayed on the address bar or status bar showing the current site where the country's flag, there are more other features, such as: double-click the flag can achieve WOT function; the middle mouse button click on a whois function. Of course, the user can set shortcuts such as copy realize IP, Wikipedia query and other functions in option in.
24: Greasemonkeygreasemonkey so you can add a DHTML statement (user scripts) to any web page to change their display. Like CSS style allows you to take over the page, and user scripts (User Script) you can let you easily control any aspect of web design and interaction. E.g:
- The URL displayed on the page have become can click directly into the link.
- Web page usability enhancements to make your site frequently visit more in line with your habits.
- Bypass those annoying Bug often appear on the site.
25: Domain Details Displays server type, IP address, domain name registration information, etc.
26: WebsecurifyWebsecurify is a Firefox extension WEB security testing software, you can conduct security assessments for Web applications
27: XSSed Search Search XSSed.Com cross-site scripting database
28: ViewStatePeeker view of iewState asp.net
29: CryptoFox crack MD5, encryption / decryption tool
30: WorldIP display the server's IP address, PING, Traceroute, RDNS information
31: plug-in web server type Server Spy recognition access, version, and IP address
32: Default Passwords search CIRT.net default password database.
33: IDS rules Snort Snort IDS Rule Search of the search, do a signature development should be useful.
34: FireCATFireCAT (Firefox Catalog of Auditing exTensions) is a collection of the most effective and useful application security audit and a list of risk assessment tools (tools released as Firefox plug-in form), security tools type FireCAT is not collected includes: fuzzer , proxy and application scanner.