a4apphack

Featured
Firefox
Internet
- Backup
- Blogs
- Browser
- Email
Leisure
- Cool Sites
Mobile
- Android
Multimedia
- Graphics
- Images
- Movies
- Music
- Video
Programming
Security
- Browser
- Code
- Docs
- Tips
- Tools
- Tutorials
Softwares
- Download
- Fail
- Freeware
- Online
- Portable
- System Tools
Tips & Tricks
- Tutorials

Secfox – GroundSpeed, Client Side Data Manipulation From Sidebar

Posted by rajivvishwa On December - 15 - 2009

This entry is part 3 of 5 in the series Secfox

Secfox

SecFox – HTTP Header Analysis + Domain Details
SecFox – XSSMe, Automated XSS Detection in Firefox
Secfox – GroundSpeed, Client Side Data Manipulation From Sidebar
Secfox – Addons for Cookie Analysis And Manipulation
Subscribe to SecFox – Firefox Addon Collections

Pen testers fondly use webproxy a lot to manipulate the HTTP requests created by the browser before it is sent to the web sever. This helps us to verify the the absence of any server side validations or flaw in the client side validations. But feel lucky if you are using Firefox while performing web app security assessments, ’cause we have a cool extension ‘GroundSpeed’ which exactly does that.

I dont want to blabber much on describing how it works since the author has a nice writeup in his GroundSpeed homepage.

“Groundspeed is an open-source Firefox extension that manipulates the interface of web applications in order to make the life of the security tester easier. It allows security testers to manipulate the way they interact with the web application’s user interface by manipulating the forms and form elements, eliminating annoying limitations and client-side controls.

Some of the practical uses of Groundspeed include changing the types of form fields, like for example changing hidden fields into text fields, removing size and length limitations on input fields and modifying any JavaScript event handlers to bypass client side validation.

Groundspeed works by dynamically modifying the Document Object Model (DOM) of the page after Firefox has finished loading and rendering it. The changes take effect immediately and, since it happens entirely on the client side without generating new requests to the server, it is completely transparent to the application.”

Check the video

Conclusion

Whatever GroundSpeed can do can be done with Firebug, but this makes life super easy. We might tend to mess the HTML code displayed in the firebug window. But with GroundSpeed, we exactly achieve want we want. Another advantage of this addon compared to firebug is that this helps us to minimize the time wasted in searching for the variable names and the attributes which we intend to change if we had used Firebug.

As the author quotes, Firebug is meant for Developers and GroundSpeed for PenTesters. We hope that there will be many enhancements in the future so as to make this a full fledged PenTest addon.