Stay updated with addons discussed in the SecFox series, the most popular section of this blog. For that you need to subscribe to the SecFox addon collection available in the mozilla addons site.
SecFox is collection of addons which can be used to customize any firefox to a security assessment tool. At the time of writing this collection has 40+ addons which can help the web app sec testers during their assessments.
In this part of the Secfox series, we will be discussing about the addons that can help us during the app security assessments which involves cookie analysis and manipulation.
These addons can be of huge help when we perform the type of tests mentioned below.
We use a proxy interceptor like Paros/Burp/WebScarab to trap the HTTP requests and modify the values during its transit. For this to happen, we need to setup a proxy and ensure that it listens to the browser traffic. An additional step is required if the application uses an SSL connection, i.e. to store the Proxy’s forged certificate in the browser. The intercepted request enables us to add new cookies or modify the existing ones. We can also check when exactly are the cookie values issued and whether it is getting flushed upon session expiration.
We have various addons for firefox which makes the tasks mentioned above easier. Certain addons allow to view the cookies stored in the browser and others allows us to edit it. The advantage – we don’t need any proxy to do this job, we can view/edit from the browser itself.
1. View Cookies
This addon adds a tab in the ‘Page Info’ box available on the Firefox context menu.
View Cookies Addon
Download Link: 
2. Add N Edit Cookies
This addon integrates a Cookie Editor to firefox. This also allows us to edit the attributes of the cookie.
Download Link:
Pen testers fondly use webproxy a lot to manipulate the HTTP requests created by the browser before it is sent to the web sever. This helps us to verify the the absence of any server side validations or flaw in the client side validations. But feel lucky if you are using Firefox while performing web app security assessments, ’cause we have a cool extension ‘GroundSpeed’ which exactly does that.
I dont want to blabber much on describing how it works since the author has a nice writeup in his GroundSpeed homepage.
“Groundspeed is an open-source Firefox extension that manipulates the interface of web applications in order to make the life of the security tester easier. It allows security testers to manipulate the way they interact with the web application’s user interface by manipulating the forms and form elements, eliminating annoying limitations and client-side controls.
Some of the practical uses of Groundspeed include changing the types of form fields, like for example changing hidden fields into text fields, removing size and length limitations on input fields and modifying any JavaScript event handlers to bypass client side validation.
Groundspeed works by dynamically modifying the Document Object Model (DOM) of the page after Firefox has finished loading and rendering it. The changes take effect immediately and, since it happens entirely on the client side without generating new requests to the server, it is completely transparent to the application.”
Mozilla Firefox considerably a fast browser but the more we use it the more slower it will become, this includes a great reduction in the start time. The reason is fragmentation of profile databases. A free tool SpeedyFox is designed specially to resolve that problem.
Using Speedyfox is easy.
Download SpeedyFox :
Go To SpeedyFox Homepage
Google Gears provides enhanced interactive functionality for websites designed to use it: drag-and-drop, client-side database storage, and the ability to view and work with specially prepared websites when offline (not connected to the Internet).
Now-a-days most of the feature rich sites interact with the Gears installed in the PC and makes our browsing experience better. But what if we frequently switch our PCs and use portable version of Firefox! what if we dont have admin privileges in the PC we are currently working with? Gears Portable Addon can save our day.
In this part of SecFox series, detection of XSS vulnerabilities with FireFox is explained. Here, we talk about XSSMe addon which can be is used to automate the tests for XSS thereby saving our precious time.
“The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system” – Security Compass
SecFox is nothing but a customized version of Firefox which is intended for performing web application security tests and audits. Using SecFox reduces time and effort we would have put if we had used any other browser along with tons of free + commercial tools used for testing the apps.
Firefox is an amazing browser whose features can be extended by installing addons or tweaking the browser itself. This feature of it is utilized to the max for building a powerful hacking/testing tool, SecFox.
This articles(split into sections) details the process of creating SecFox and also includes the usage of various security related firefox addons with relevant examples and screencasts.
Read the rest of this entry »
Greased LightMonkey is a GreaseMonkey script which helps us to enhance our image browsing experience. This works in all the websites which links to any image. This script will help you to view the full size of the image thumbnail links in the same page without having to navigate to any other browser tab or window .
This script comes with additional controls like slideshow, navigation, zoom options.
Keyboard shortcuts are available too…
| + | Zoom In |
| - | Zoom Out |
| 0 | Slideshow |
| x | Close |
Note: GreaseMonkey needs to be installed in your firefox so as to make this script work. Install it from here
Tip:
Install Greased LightMonkey :
After installation, go to the below links and click on the image thumbnails to popup the lightbox.
http://www.mozilla.org/projects/calendar/sunbird/screenshot.html
http://images.google.co.in/images?&q=31nst31n
A tiny calculator in the firefox status bar. Evaluate any mathematical expressions on the fly from firefox itself. Different modes like hex,dec, bin or complex are available. There are options to change the bases between 2 and 24.
This can be very useful for students and engineers who get the math problems from the internet and trying to use windows calc while finding out the solution.
This post talks about utilizing faviconize tab extension with other greasemonkey scripts and addons to effectively reduce the cluttering due to too many tabs in your firefox. Free yourselves from the tabs panic.
Note : You need to install Faviconize Tab before you proceed with following the below mentioned addons.
If you have faviconize tabs installed and know about it, then skip to Faviconize All Tabs Section
Faviconize Tab is a wonderful addon which can be helpful for the users who browse heavily with firefox. This addon provides an option to reduce the size of the tab to the favicon of the site reducing clutter.
Download page for Faviconize Tab :
I love using Faviconize Tabs and was thinking why is this not a default firefox feature and why in the world would I need to see ‘Site Name – Some Crap Text‘ (Like ‘Gmail – Inbox(3123) – xxx@gmail.com‘) in the tab title to know that its gmail’s tab, if I can simply understand that it is the tab for gmail from the favicon displayed in the tab.
So we can faviconize each tab and keep it simple. But the prob is, every time I have to faviconize any tab, I need to right click and select faviconize and I have to repeat for all the tabs… Is it so? Not really..
Go to Faviconize Preferences and in the Auto Faviconize, put ‘*’ as wildcard. Now every tab you open will be faviconized 
But now you might ask me that the long title in the tab, Gmail – Inbox (No of Unread Messages), is very useful. Atleast you can get to know if you get a new mail, which is not possible with a faviconized tab. But there is an useful greasemonkey script which displays unread count in the tab and also the incoming chat indication in the tab…
Download Page :
So what about Google Reader? Fortunately we have something for that too…
Download Page :
NOTE: You need GreaseMonkey installed to setup the above to scripts
So you dont like the tabs on the top or do you think that you need to know from whether you opened this page (Parent page)? Then treetabs is there for you…Â Its self explanatory, check the screenshot.
Download page :
Faviconize tabs +(Gmail +Greader) Favicon Alerts +Tree Tabs =Â Ultimate Clutter Reduction in Firefox…
3d access addons apps appsec automate chrome code command customize Download feeds files free google Graphics greasemonkey imageEditing linux mail mp3 online Online organize passwords phishing pics Portable rightclick scan scripts Secfox store sync systools tips updates usb va versions videos webdesign xsrf xss youtube
WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.
