a4apphack

Google has launched Secure Google search hosted on SSL lately . This post talks on how to enable this Secure Google search to the browser search bar/search suggestions in Firefox, Chrome and IE browsers.

Updated: Added Screenshots for IE

1. Firefox

Go to the Mozilla Addons Page and add Google SSL Search Plugin

Select ‘Start using it right away in the dialog box that displays – Add “Google SSL” to the list of engines available in the search bar?

2. Chrome

Right Click on Chrome Omnibar(Address bar) and Select ‘Edit Search Engines’.

In the Edit Search Engines Dialog box add https://www.google.com/search?q=%s in the URL field and click on Make Default Button.

Dont forget to check the Chrome Extensions List for Security Testers, here (Internal Post)

3. Internet Explorer

• Access the Add Search Providers page

• In the Create Your Own enter https://www.google.com/search?q=TEST in the URL field

Click on the Install Button to see the following screen. Check the ‘Make this my default search provider’

Now the Search box in IE will display Google.

via Google Blog and TechDows

Chrome is becoming popular among the developers due to its extended support for the upcoming web technologies. If these features of chrome can help the developers to dissect & analyse the newest web applications, so can it for security analysts. Firefox has become so popular among the security guys due to the availability of addons like WebDeveloper/Firebug which can aid them during their security assessments.

The extension Pendule is an attempt to reproduce the features of WebDeveloper Addon for firefox. Currently it doesn’t support all the features of WebDeveloper but expected to incorporate soon.

Pendule - Chrome Extension

Features

1. Form Manipulations

2. View Javascripts

3. Show Image Paths Inline

Download Pendule:

Stay updated with addons discussed in the SecFox series, the most popular section of this blog. For that you need to subscribe to the SecFox addon collection available in the mozilla addons site.

SecFox is collection of addons which can be used to customize any firefox to a security assessment tool. At the time of writing this collection has 40+ addons which can help the web app sec testers during their assessments.

Read the rest of this entry »

In this part of the Secfox series, we will be discussing about the addons that can help us during the app security assessments which involves cookie analysis and manipulation.

These addons can be of huge help when we perform the type of tests mentioned below.

• Cookie Prediction
• Session Fixation
• Cookie Persistence/Expiration
• Broken Session Management

Traditional Method

We use a proxy interceptor like Paros/Burp/WebScarab to trap the HTTP requests and modify the values during its transit. For this to happen, we need to setup a proxy and ensure that it listens to the browser traffic. An additional step is required if the application uses an SSL connection, i.e. to store the Proxy’s forged certificate in the browser. The intercepted request enables us to add new cookies or modify the existing ones. We can also check when exactly are the cookie values issued and whether it is getting flushed upon session expiration.

Usage of Addons

We have various addons for firefox which makes the tasks mentioned above easier. Certain addons allow to view the cookies stored in the browser and others allows us to edit it. The advantage – we don’t need any proxy to do this job, we can view/edit from the browser itself.

1. View Cookies

This addon adds a tab in the ‘Page Info’ box available on the Firefox context menu.

View Cookies Addon

Download Link:

2. Add N Edit Cookies

This addon integrates a Cookie Editor to firefox. This also allows us to edit the attributes of the cookie.

Add n Edit Cookies Addon

Download Link:

Read the rest of this entry »

Google Gears provides enhanced interactive functionality for websites designed to use it: drag-and-drop, client-side database storage, and the ability to view and work with specially prepared websites when offline (not connected to the Internet).

Now-a-days most of the feature rich sites interact with the Gears installed in the PC and makes our browsing experience better. But what if we frequently switch our PCs and use portable version of Firefox! what if we dont have admin privileges in the PC we are currently working with? Gears Portable Addon can save our day.

Read the rest of this entry »

In this part of SecFox series, detection of XSS vulnerabilities with FireFox is explained. Here, we talk about XSSMe addon which can be is used to automate the tests for XSS thereby saving our precious time.

“The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system” – Security Compass

Read the rest of this entry »

In the previous post, Secfox Part 1, we had seen how to customize the environment in FireFox to get better ease of use and more workspace. Now its time to fill in the addons.

This post has two sections, the first explains how to obtain details of any website (Information Gathering) and the second deals with analysis and understanding of HTTP raw header information.

Read the rest of this entry »

SecFox is nothing but a customized version of Firefox which is intended for performing web application security tests and audits. Using SecFox reduces time and effort we would have put if we had used any other browser along with tons of free + commercial tools used for testing the apps.

Firefox is an amazing browser whose features can be extended by installing addons or tweaking the browser itself. This feature of it is utilized to the max for building a powerful hacking/testing tool, SecFox.

This articles(split into sections) details the process of creating SecFox and also includes the usage of various security related firefox addons with relevant examples and screencasts.
Read the rest of this entry »

Greased LightMonkey is a GreaseMonkey script which helps us to enhance our image browsing experience. This works in all the websites which links to any image. This script will help you to view the full size of the image thumbnail links in the same page without having to navigate to any other browser tab or window .

This script comes with additional controls like slideshow, navigation, zoom options.

Keyboard shortcuts are available too…

Note: GreaseMonkey needs to be installed in your firefox so as to make this script work. Install it from here

Tip:

1. Close the lightbox containing the image by just clicking outside the image area.
2. This script can be easily enabled or disabled by right clicking GreaseMonkey Icon in the status bar and check/uncheck Greased Lightbox from the menu.

Install Greased LightMonkey :

After installation, go to the below links and click on the image thumbnails to popup the lightbox.
http://www.mozilla.org/projects/calendar/sunbird/screenshot.html
http://images.google.co.in/images?&q=31nst31n